Samba (SMB)
smb -> server message block
net use * /delete -> deletes all the folders and files in SMB
net use z: \\<IP>\dir$ <password> <username> -> will create a samba share
nmap scans
To scan udp ports
nmap -sU $IP
# for the sake of speed, you can also scan top ports
# e.g. (scanning top 100)
# -> nmap -sU --top-ports 100 $IP
session enumeration
nmap $IP -p445 --script smb-enum-sessions \
--script-args smbusername=$username,smbpassword=$password
share enumerations
nmap $IP -p445 --script smb-enum-shares \
--script-args smbusername=$username,smbpassword=$password
enumerate users -> to find how many users exists
nmap $IP -p445 --script smb-enum-users \
--script-args smbusername=$username,smbpassword=$password
enumerate server staticstics -> prints out how many logged in, failed attempt count, etc.
nmap $IP -p445 --script smb-enum-stats \
--script-args smbusername=$username,smbpassword=$password
enumerate domain (scan) -> find out how many domains are there
nmap $IP -p445 --script smb-enum-domains \
--script-args smbusername=$username,smbpassword=$password
enumerate groups -> shows all users belongs to what groups
nmap $IP -p445 --script smb-enum-groups \
--script-args smbusername=$username,smbpassword=$password
enumerate services -> to see what services are running
nmap $IP -p445 --script smb-enum-services \
--script-args smbusername=$username,smbpassword=$password
nmap $IP -p445 --script smb-enum-services,smb-ls \
--script-args smbusername=$username,smbpassword=$password
# above command just with `smb-ls` which will list all the files
# smb-ls -> linux machine
# smb-dir -> windows machine
smb protocols or Dialects
What is dialect?
The SMB protocol has gone through various versions, and each version is referred to as a "dialect."
nmap $IP -p445 --script smb-protocols
smb security level information
nmap $IP -p445 --script smb-security-mode
To find exact os & version smb is using
nmap --script smb-os-discovery.nse -p445 $IP #note the port (-p) can be changed
smb map
to list , see what permission we have
smbmap -u guest -p "" -d . -H $IP
smbmap -u $username -p $password -d . -H $IP
To run commands on the target machine (-x flag)
smbmap -u $username -p $password -H $IP -x $command
To list shares
smbmap -u $username -p $password -H $IP -L
to see contents of the shares
smbmap -u $username -p $password -H $IP -r <dir> #e.g. C$
to upload to the smb share
smbmap -u $username -p $password --upload '/local/machine/file' '$C/remote/machine'
# if windows : C$\file\path
to download the smb share
smbpmap -u $username -p $password --download '$C\path\file'
Login
smbmap -H $IP -u $username -p $password
msfconsole
msfconsole module to scan samba version
msfconsole
use auxiliary/scanner/smb/smb_version
#run : 'show options' & fill up needed fields.
to enum shares
use auxiliary/scanner/smb/smb_enumshares
To bruteforce password
use auxiliary/scanner/smb/smb_login
#options :
set RHOSTS $IP
set pass_file /path/to/wordlists
set smbuser $username
#execute show options and see if all options with required 'yes' are filled.
to scan pipes
use auxiliary/scanner/smb/pipe_auditor
#options
set RHOSTS $IP
set smbuser $username
set smbpass $password
nmblookup - a tool for recon smb
To scan an IP
nmblookup -A $IP
smbclient
To list by host
smbclient -L $IP
To try connecting samba share without password
smbclient -L $IP -N
rpcclient
To connect to the smb share (username and password is NULL here)
rpcclient -U "" -N $IP
To get username after login
rpcclient$> getusername
to get server info
rpcclient$> srvinfo
to get usernames
rpcclient$> enumdomusers
to get groups
rpcclient$> enumdomgroups
to get SID of a user
rpcclient$> lookupnames <username>
enum4linux
to scan os
enum4linux -o $IP
to scan shares
enum4linux -S $IP
to list connected printers
enum4linux -i $IP
RID cycling using enum4Linux
enum4linux -r -u admin $IP
hydra
to bruteforce password
hydra -l $username -P /path/to/wordlist $IP smb
________________done with smb cheatsheet.
Last updated