SaMBa (139/445)

Nmap Script

# Enumeration Users
nmap --script=smb-enum-users 10.10.10.10 

# Check for Vuln with nse script
nmap -p445 --script "vuln and safe" 10.10.10.10 

# Checking for Vulnerable
nmap -script=smb-vuln\* -p445 10.10.10.10 

#Nmap script to list the supported protocols and dialects of an SMB server.

nmap -p445 --script smb-protocols 10.10.10.10 

#Running security mode script to return the information about the SMB security level.

nmap -p445 --script smb-security-mode 10.10.10.10 

#Enumerate all available share
nmap -p445 --script smb-enum-shares 10.10.10.10 

#Enumerating all the shared folders and drives then running the ls command
nmap -p445 --script smb-enum-shares,smb-ls --script-args
smbusername=administrator,smbpassword=smbserver_771 10.10.10.10

SmbMap

# List share folder and permission on share drive
smbmap -H -R 10.10.10.10 

# Connect smb with username empty string
smbmap -H 10.10.10.10  -u "test -p "user

#Execute the command through SMB
smbmap -H 10.10.10.10 -u administrator -p smbserver_771 -x 'ipconfig'

Crackmap

crackmapexec smb --shares 10.10.10.10 -u '' -p ''

SmbClient

# List the share folder with no authentication
smbclient -L \\10.10.10.10 -N

# List all folders are avaialble
smbclient -L 10.10.10.10

# Connect to share folder
smbclient //10.10.10.10/users

smbclient -N //10.10.10.10/tmp

#Connect with credentials
smbclient -U admin //10.10.10.10/general

#Connect without credentials
smbclient -U '' -L //10.10.10.10

└─$ smbclient -L $ip -U 'user%password123'


*** Custom Ports
=======================================================
└─$ smbclient -L 10.10.10.10 -p36445
Enter WORKGROUP\pwned's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        Commander       Disk      Commander Files
        IPC$            IPC       IPC Service (Samba 4.12.6)
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.10 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

Enum4linux

# Do all simple enumeration
enum4linux 10.10.10.10

# Get a list of user
└─$ enum4linux -U 10.10.10.10

Download File

recurse on
prompt off
mget *

Map Drive

#Open “Map Network Drive”
Go to This PC → Network → Right Click on Network → Map Network Drive

#Via cmd
net use Z: \\10.10.10.10\C$ password123 /user:administrator

[Map Drive]
==================================================================
- Go to This PC -> Network -> Right Click on Network -> Map Network Drive
- net use Y: \\$ip\C$ -> Y:
- net use Y: \\$ip\C$ /user:administrator Password
- showmount -e $ip
- mount -t cifs -o "username=user,password=password" //$ip/share /mnt/share
- mount -f cifs //$ip/share /mnt/shar

PreviousFinger (79)NextRPC/NFS (111/135)

Last updated 1 year ago

Nmap Script

# Enumeration Users
nmap --script=smb-enum-users 10.10.10.10 

# Check for Vuln with nse script
nmap -p445 --script "vuln and safe" 10.10.10.10 

# Checking for Vulnerable
nmap -script=smb-vuln\* -p445 10.10.10.10 

#Nmap script to list the supported protocols and dialects of an SMB server.

nmap -p445 --script smb-protocols 10.10.10.10 

#Running security mode script to return the information about the SMB security level.

nmap -p445 --script smb-security-mode 10.10.10.10 

#Enumerate all available share
nmap -p445 --script smb-enum-shares 10.10.10.10 

#Enumerating all the shared folders and drives then running the ls command
nmap -p445 --script smb-enum-shares,smb-ls --script-args
smbusername=administrator,smbpassword=smbserver_771 10.10.10.10

# List share folder and permission on share drive smbmap -H -R 10.10.10.10 # Connect smb with username empty string smbmap -H 10.10.10.10 -u "test -p "user #Execute the command through SMB smbmap -H 10.10.10.10 -u administrator -p smbserver_771 -x 'ipconfig'

SmbClient

# List the share folder with no authentication
smbclient -L \\10.10.10.10 -N

# List all folders are avaialble
smbclient -L 10.10.10.10

# Connect to share folder
smbclient //10.10.10.10/users

smbclient -N //10.10.10.10/tmp

#Connect with credentials
smbclient -U admin //10.10.10.10/general

#Connect without credentials
smbclient -U '' -L //10.10.10.10

└─$ smbclient -L $ip -U 'user%password123'


*** Custom Ports
=======================================================
└─$ smbclient -L 10.10.10.10 -p36445
Enter WORKGROUP\pwned's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        Commander       Disk      Commander Files
        IPC$            IPC       IPC Service (Samba 4.12.6)
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.10 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

Map Drive

#Open “Map Network Drive”
Go to This PC → Network → Right Click on Network → Map Network Drive

#Via cmd
net use Z: \\10.10.10.10\C$ password123 /user:administrator

[Map Drive]
==================================================================
- Go to This PC -> Network -> Right Click on Network -> Map Network Drive
- net use Y: \\$ip\C$ -> Y:
- net use Y: \\$ip\C$ /user:administrator Password
- showmount -e $ip
- mount -t cifs -o "username=user,password=password" //$ip/share /mnt/share
- mount -f cifs //$ip/share /mnt/shar