Samba (SMB)

  • smb -> server message block

  • net use * /delete -> deletes all the folders and files in SMB

  • net use z: \\<IP>\dir$ <password> <username> -> will create a samba share

nmap scans

  • To scan udp ports

nmap -sU $IP 
# for the sake of speed, you can also scan top ports
# e.g. (scanning top 100)
# -> nmap -sU --top-ports 100 $IP
  • session enumeration

nmap $IP -p445 --script smb-enum-sessions \
--script-args smbusername=$username,smbpassword=$password
  • share enumerations

nmap $IP -p445 --script smb-enum-shares \
--script-args smbusername=$username,smbpassword=$password
  • enumerate users -> to find how many users exists

nmap $IP -p445 --script smb-enum-users \
--script-args smbusername=$username,smbpassword=$password
  • enumerate server staticstics -> prints out how many logged in, failed attempt count, etc.

nmap $IP -p445 --script smb-enum-stats \
--script-args smbusername=$username,smbpassword=$password
  • enumerate domain (scan) -> find out how many domains are there

nmap $IP -p445 --script smb-enum-domains \
--script-args smbusername=$username,smbpassword=$password
  • enumerate groups -> shows all users belongs to what groups

nmap $IP -p445 --script smb-enum-groups \
--script-args smbusername=$username,smbpassword=$password
  • enumerate services -> to see what services are running

nmap $IP -p445 --script smb-enum-services \
--script-args smbusername=$username,smbpassword=$password
nmap $IP -p445 --script smb-enum-services,smb-ls \
--script-args smbusername=$username,smbpassword=$password

# above command just with `smb-ls` which will list all the files
# smb-ls -> linux machine
# smb-dir -> windows machine
  • smb protocols or Dialects

  • What is dialect?

    • The SMB protocol has gone through various versions, and each version is referred to as a "dialect."

nmap $IP -p445 --script smb-protocols
  • smb security level information

nmap $IP -p445 --script smb-security-mode
  • To find exact os & version smb is using

nmap --script smb-os-discovery.nse -p445 $IP #note the port (-p) can be changed

smb map

  • to list , see what permission we have

smbmap -u guest -p "" -d . -H $IP
smbmap -u $username -p $password -d . -H $IP
  • To run commands on the target machine (-x flag)

smbmap -u $username -p $password -H $IP -x $command
  • To list shares

smbmap -u $username -p $password -H $IP -L
  • to see contents of the shares

smbmap -u $username -p $password -H $IP -r <dir> #e.g. C$ 
  • to upload to the smb share

smbmap -u $username -p $password --upload '/local/machine/file' '$C/remote/machine'
# if windows : C$\file\path
  • to download the smb share

smbpmap -u $username -p $password --download '$C\path\file'
  • Login

smbmap -H $IP -u $username -p $password 

msfconsole

  • msfconsole module to scan samba version

msfconsole
use auxiliary/scanner/smb/smb_version 

#run : 'show options' & fill up needed fields.
  • to enum shares

use auxiliary/scanner/smb/smb_enumshares
  • To bruteforce password

use auxiliary/scanner/smb/smb_login 
#options : 
set RHOSTS $IP
set pass_file /path/to/wordlists
set smbuser $username

#execute show options and see if all options with required 'yes' are filled.
  • to scan pipes

use auxiliary/scanner/smb/pipe_auditor

#options
set RHOSTS $IP
set smbuser $username
set smbpass $password

nmblookup - a tool for recon smb

  • To scan an IP

nmblookup -A $IP

smbclient

  • To list by host

smbclient -L $IP
  • To try connecting samba share without password

smbclient -L $IP -N

rpcclient

  • To connect to the smb share (username and password is NULL here)

rpcclient -U "" -N $IP
  • To get username after login

rpcclient$> getusername
  • to get server info

rpcclient$> srvinfo
  • to get usernames

rpcclient$> enumdomusers
  • to get groups

rpcclient$> enumdomgroups
  • to get SID of a user

rpcclient$> lookupnames <username>

enum4linux

  • to scan os

enum4linux -o $IP
  • to scan shares

enum4linux -S $IP
  • to list connected printers

enum4linux -i $IP
  • RID cycling using enum4Linux

enum4linux -r -u admin $IP

hydra

  • to bruteforce password

hydra -l $username -P /path/to/wordlist $IP smb

________________done with smb cheatsheet.

Last updated