Samba (SMB)

• smb -> server message block

• net use * /delete -> deletes all the folders and files in SMB

• net use z: \\<IP>\dir$ <password> <username> -> will create a samba share

nmap scans

• To scan udp ports

nmap -sU $IP 
# for the sake of speed, you can also scan top ports
# e.g. (scanning top 100)
# -> nmap -sU --top-ports 100 $IP

• session enumeration

nmap $IP -p445 --script smb-enum-sessions \
--script-args smbusername=$username,smbpassword=$password

• share enumerations

nmap $IP -p445 --script smb-enum-shares \
--script-args smbusername=$username,smbpassword=$password

• enumerate users -> to find how many users exists

nmap $IP -p445 --script smb-enum-users \
--script-args smbusername=$username,smbpassword=$password

• enumerate server staticstics -> prints out how many logged in, failed attempt count, etc.

nmap $IP -p445 --script smb-enum-stats \
--script-args smbusername=$username,smbpassword=$password

• enumerate domain (scan) -> find out how many domains are there

nmap $IP -p445 --script smb-enum-domains \
--script-args smbusername=$username,smbpassword=$password

• enumerate groups -> shows all users belongs to what groups

nmap $IP -p445 --script smb-enum-groups \
--script-args smbusername=$username,smbpassword=$password

• enumerate services -> to see what services are running

nmap $IP -p445 --script smb-enum-services \
--script-args smbusername=$username,smbpassword=$password

nmap $IP -p445 --script smb-enum-services,smb-ls \
--script-args smbusername=$username,smbpassword=$password

# above command just with `smb-ls` which will list all the files
# smb-ls -> linux machine
# smb-dir -> windows machine

• smb protocols or Dialects

• What is dialect?

  • The SMB protocol has gone through various versions, and each version is referred to as a "dialect."

nmap $IP -p445 --script smb-protocols

• smb security level information

nmap $IP -p445 --script smb-security-mode

• To find exact os & version smb is using

nmap --script smb-os-discovery.nse -p445 $IP #note the port (-p) can be changed

smb map

• to list , see what permission we have

smbmap -u guest -p "" -d . -H $IP

smbmap -u $username -p $password -d . -H $IP

• To run commands on the target machine (-x flag)

smbmap -u $username -p $password -H $IP -x $command

• To list shares

smbmap -u $username -p $password -H $IP -L

• to see contents of the shares

smbmap -u $username -p $password -H $IP -r <dir> #e.g. C$ 

• to upload to the smb share

smbmap -u $username -p $password --upload '/local/machine/file' '$C/remote/machine'
# if windows : C$\file\path

• to download the smb share

smbpmap -u $username -p $password --download '$C\path\file'

• Login

smbmap -H $IP -u $username -p $password 

msfconsole

• msfconsole module to scan samba version

msfconsole
use auxiliary/scanner/smb/smb_version 

#run : 'show options' & fill up needed fields.

• to enum shares

use auxiliary/scanner/smb/smb_enumshares

• To bruteforce password

use auxiliary/scanner/smb/smb_login 
#options : 
set RHOSTS $IP
set pass_file /path/to/wordlists
set smbuser $username

#execute show options and see if all options with required 'yes' are filled.

• to scan pipes

use auxiliary/scanner/smb/pipe_auditor

#options
set RHOSTS $IP
set smbuser $username
set smbpass $password

nmblookup - a tool for recon smb

• To scan an IP

nmblookup -A $IP

smbclient

• To list by host

smbclient -L $IP

• To try connecting samba share without password

smbclient -L $IP -N

rpcclient

• To connect to the smb share (username and password is NULL here)

rpcclient -U "" -N $IP

• To get username after login

rpcclient$> getusername

• to get server info

rpcclient$> srvinfo

• to get usernames

rpcclient$> enumdomusers

• to get groups

rpcclient$> enumdomgroups

• to get SID of a user

rpcclient$> lookupnames <username>

enum4linux

• to scan os

enum4linux -o $IP

• to scan shares

enum4linux -S $IP

• to list connected printers

enum4linux -i $IP

• RID cycling using enum4Linux

enum4linux -r -u admin $IP

hydra

• to bruteforce password

hydra -l $username -P /path/to/wordlist $IP smb

________________done with smb cheatsheet.