SMB | Port 139,445
Enumerating SMB quick methods
Discovery & Confirmation
- Nmap scanning for discovery of smb
nmap -Pn -p 139,445 --script=smb-protocols,smb-os-discovery $IP
tip
If a host requires SMB signing, tools and attacks that try to tamper with or relay SMB/NTLM traffic (Responder, NTLM relay, many MitM tricks) will usually fail.
- Using netcat and telnet
nc -vz $IP 445
telnet $IP 445
Share Listing without credentials
- using smbclient
smbclient -L //<target> -N
- Using enum4linux
enum4linux -a $IP
- Nmap For share enumeartion
nmap -Pn -p 139,445 --script=smb-enum-shares,smb-enum-users $IP
- Using smbmap
smbmap -H $IP
Enumeartion with credentials
- Using SMBclient
smbclient -L //<target> -U 'DOMAIN\\user' # lists shares, prompts for pass
smbclient //<target>/SHARE -U 'user%pass' -c 'recurse; ls'
- Using impacket-smbclient
smbclient -L //<target> -U 'user'
#Listing with a domain user
smbclient -L //<target> -U 'DOMAIN\\user'
smbclient //<target>/SHARE -U 'user%pass' -c 'recurse; ls'
#With domain user
smbclient //<target>/SHARE -U 'DOMAIN\\user%pass' -c 'recurse; ls'
- using crackmapexec
#using user & pass
crackmapexec smb <target_or_cidr> -u user -p pass --shares
#using hash
crackmapexec smb <target> -u user -H <LM:NTLM_or_NTLM_hash> --shares
- using smbmap
smbmap -u user -p pass -H <target> -r .
# or
smbmap -H <target> -u user -p pass --shares
- RPC enumeration
rpcclient -U 'user%pass' <target>
# then at rpcclient prompt:
# srvinfo
# netshareenum
# enumdomusers
Tricks
Download all the files at once
smbclient //<Target>/folder -U 'Domain\\USER%PASS' -c 'recurse; mget *.<file_ext>'
References
- Hacking Articles this is great resource for more details on this service.