diff --git a/recon/smb_enumeration_tips.md b/recon/smb_enumeration_tips.md new file mode 100644 index 0000000..7a5b172 --- /dev/null +++ b/recon/smb_enumeration_tips.md @@ -0,0 +1,116 @@ +## SMB NETBIOS Enumeration Tips + +### Tool Tips + +#### Enum4Linux +``` +enum4linux x.x.x.x +``` + +#### Nmap +``` +nmap -v -p 139,445 -oG smb.txt 192.168.88.0-254 +``` + +#### nbtscan +``` +nbtscan -r 192.168.11.0/24 +``` + +#### nmblookup +``` +nmblookup -A target +``` +#### smbclient +``` +smbclient //192.168.31.147/karen -I 192.168.88.251 +``` +#### rpcclient +``` +rpcclient -U "" 192.168.88.251 // connect as blank user /nobody +``` +#### smbmap +``` +smbmap -u "" -p "" -d MYGROUP -H 192.168.88.251 +``` + +## Metasploit + +### SMB version +``` +msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version +msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.88.251 +RHOSTS => 192.168.31.142 +msf auxiliary(scanner/smb/smb_version) > run +[*] 192.168.31.142:139 - Host could not be identified: Unix (Samba 2.2.1a) +``` +### SMB brute force +``` +use auxiliary/scanner/smb/smb_login +``` + +### Existing users +``` +msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid +msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142 +RHOSTS => 192.168.31.142 +msf auxiliary(scanner/smb/smb_lookupsid) > run +[*] 192.168.31.142:139 - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - ) +[*] 192.168.31.142:139 - TYPE=0 NAME=Administrator rid=500 + +``` +### upload a file +smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py" + + +## NMAP SMB scripts == +nmap --script smb-* --script-args=unsafe=1 192.168.10.55 + +``` +┌─[omar@websploit]─[~] +└──╼ $ ls -lh /usr/share/nmap/scripts/smb* +smb-brute.nse +smb-enum-domains.nse +smb-enum-groups.nse +smb-enum-processes.nse +smb-enum-sessions.nse +smb-enum-shares.nse +smb-enum-users.nse +smb-flood.nse +smb-ls.nse +smb-mbenum.nse +smb-os-discovery.nse +smb-print-text.nse +smb-psexec.nse +smb-security-mode.nse +smb-server-stats.nse +smb-system-info.nse +smb-vuln-conficker.nse +smb-vuln-cve2009-3103.nse +smb-vuln-ms06-025.nse +smb-vuln-ms07-029.nse +smb-vuln-ms08-067.nse +smb-vuln-ms10-054.nse +smb-vuln-ms10-061.nse +smb-vuln-regsvc-dos.nse +smbv2-enabled.nse +``` + +### mount SMB shares in Linux +``` +smbclient -L \\WIN7\ -I 192.168.13.218 +smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218 +smbclient -L \\WIN7\C$ -I 192.168.13.218 +smbclient -L \\WIN7\IPC$ -I 192.168.13.218 +smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB +``` + +### mount SMB share to a afolder +``` +mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP +``` + +### mount SMB shares in Windows (via cmd) +``` +net use X: \\\ /USER:\ /PERSISTENT:YES +```