SMB - 139/445
SMB (Server Message Block) is a network protocol for sharing files, printers, and more between computers. In Windows, it's built-in and used by default for file sharing. Linux uses implementations like Samba to support SMB.
SMB uses port 445 by default (older versions used ports 137-139)
Basic Enumeration
# Scan using Nmap
nmap 10.10.10.10 -sVC -p139,445
# Agressive
nmap 10.10.10.10 -A -p139,445
# SMB Scripts
❯ ls /usr/share/nmap/scripts/ | grep smb
smb2-capabilities.nse
smb2-security-mode.nse
smb2-time.nse
smb2-vuln-uptime.nse
//..SNIP..//
smb-vuln-webexec.nse
smb-webexec-exploit.nse
# If we have credentials or anonymous login is allowed
smbclient -N -L //10.10.10.10 # This also lists available shares
# Get access to the share
smbclient //10.10.10.10/sharename -U username%password
NetExec
If we have login credentials for SMB from any source, whether obtained through brute forcing, provided in a pentest, or found during enumeration, we can use them with netexec to enumerate SMB shares:
# Enumerate Targets using CIDR Range
# It can find if the "found" targets are domain joined or not as well as versions.
nxc smb 192.168.1.0/24
# List Shares
nxc smb 10.10.10.10 -u "rezydev" -p "Coolpass123@!" --shares # Credentialed
nxc smb 10.10.10.10 -u 'guest' -p '' --shares # (Need NULL/Anonymous Sessions)
# We used -u 'guest' to avoid 'STATUS_USER_SESSION_DELETED' user.
# Spider Juicy Contents using a pattern.
# We can use '--regex' as well for better searching.
# We can use '--content --regex Password' to find file with content: Password
nxc smb 10.10.10.10 -u "rezydev" -p "Coolpass123@!" --spider 'Computer Faculty' --pattern txt
# Spider Shares with 'spider_plus' module and save output to
# '/tmp/cme_spider_plus/10.10.10.10.json'
nxc smb 10.10.10.10 -u "rezydev" -p "Coolpass123@!" -M spider_plus -o EXCLUDE_FILTER=IPC$,print$,NETLOGON,SYSVOL
# Note: We can use '--get-file' to download interesting files easily.
RPCclient
RPC (Remote Procedure Call) lets a program run code on another computer as if it were local.
It's used for communication between systems in a network.
rpcclient is a Linux command-line tool (part of Samba) to interact with Windows RPC services.
rpcclient -U "" 10.10.10.10
rpcclient $> srvinfo # Server information.
rpcclient $> enumdomains # Enumerate all domains that are deployed in the network.
rpcclient $> querydominfo # Provides domain, server, and user information of deployed domains.
rpcclient $> netshareenumall # Enumerates all available shares.
rpcclient $> netsharegetinfo <share> # Provides information about a specific share.
rpcclient $> enumdomusers # Enumerates all domain users.
rpcclient $> queryuser <RID> # Provides information about a specific user.
rpcclient $> querygroup <RID>
We can use NetExec to bruteforce RID to enumerate username: click me
samrdump.py also does the same thing.