Samba (SMB)
smb -> server message block
net use * /delete -> deletes all the folders and files in SMB
net use z: \\<IP>\dir$ <password> <username> -> will create a samba share
nmap scans
To scan udp ports
nmap -sU $IP
# for the sake of speed, you can also scan top ports
# e.g. (scanning top 100)
# -> nmap -sU --top-ports 100 $IPsession enumeration
nmap $IP -p445 --script smb-enum-sessions \
--script-args smbusername=$username,smbpassword=$passwordshare enumerations
nmap $IP -p445 --script smb-enum-shares \
--script-args smbusername=$username,smbpassword=$passwordenumerate users -> to find how many users exists
nmap $IP -p445 --script smb-enum-users \
--script-args smbusername=$username,smbpassword=$passwordenumerate server staticstics -> prints out how many logged in, failed attempt count, etc.
nmap $IP -p445 --script smb-enum-stats \
--script-args smbusername=$username,smbpassword=$passwordenumerate domain (scan) -> find out how many domains are there
nmap $IP -p445 --script smb-enum-domains \
--script-args smbusername=$username,smbpassword=$passwordenumerate groups -> shows all users belongs to what groups
nmap $IP -p445 --script smb-enum-groups \
--script-args smbusername=$username,smbpassword=$passwordenumerate services -> to see what services are running
nmap $IP -p445 --script smb-enum-services \
--script-args smbusername=$username,smbpassword=$passwordnmap $IP -p445 --script smb-enum-services,smb-ls \
--script-args smbusername=$username,smbpassword=$password
# above command just with `smb-ls` which will list all the files
# smb-ls -> linux machine
# smb-dir -> windows machinesmb protocols or Dialects
What is dialect?
The SMB protocol has gone through various versions, and each version is referred to as a "dialect."
nmap $IP -p445 --script smb-protocolssmb security level information
nmap $IP -p445 --script smb-security-modeTo find exact os & version smb is using
nmap --script smb-os-discovery.nse -p445 $IP #note the port (-p) can be changedsmb map
to list , see what permission we have
smbmap -u guest -p "" -d . -H $IPsmbmap -u $username -p $password -d . -H $IPTo run commands on the target machine (-x flag)
smbmap -u $username -p $password -H $IP -x $commandTo list shares
smbmap -u $username -p $password -H $IP -Lto see contents of the shares
smbmap -u $username -p $password -H $IP -r <dir> #e.g. C$ to upload to the smb share
smbmap -u $username -p $password --upload '/local/machine/file' '$C/remote/machine'
# if windows : C$\file\pathto download the smb share
smbpmap -u $username -p $password --download '$C\path\file'Login
smbmap -H $IP -u $username -p $password msfconsole
msfconsole module to scan samba version
msfconsole
use auxiliary/scanner/smb/smb_version
#run : 'show options' & fill up needed fields.to enum shares
use auxiliary/scanner/smb/smb_enumsharesTo bruteforce password
use auxiliary/scanner/smb/smb_login
#options :
set RHOSTS $IP
set pass_file /path/to/wordlists
set smbuser $username
#execute show options and see if all options with required 'yes' are filled.to scan pipes
use auxiliary/scanner/smb/pipe_auditor
#options
set RHOSTS $IP
set smbuser $username
set smbpass $passwordnmblookup - a tool for recon smb
To scan an IP
nmblookup -A $IPsmbclient
To list by host
smbclient -L $IPTo try connecting samba share without password
smbclient -L $IP -Nrpcclient
To connect to the smb share (username and password is NULL here)
rpcclient -U "" -N $IPTo get username after login
rpcclient$> getusernameto get server info
rpcclient$> srvinfoto get usernames
rpcclient$> enumdomusersto get groups
rpcclient$> enumdomgroupsto get SID of a user
rpcclient$> lookupnames <username>enum4linux
to scan os
enum4linux -o $IPto scan shares
enum4linux -S $IPto list connected printers
enum4linux -i $IPRID cycling using enum4Linux
enum4linux -r -u admin $IPhydra
to bruteforce password
hydra -l $username -P /path/to/wordlist $IP smb________________done with smb cheatsheet.
Last updated