SMB / Samba 135-139, 445
Nmap SMB Enumeration Commands
SMB Security Mode:
nmap --script=smb2-security-mode.nse -p 445 192.168.10.0/24Basic SMB Scan:
sudo nmap -v -p 139,445 -oG smb.txt 10.11.1.8NetBIOS Stats and SMB OS Discovery:
sudo nmap --script nbstat.nse 10.11.1.5
sudo nmap --script smb-os-discovery 10.11.1.5Enumerating SMB Shares:
nmap --script smb-enum-shares -p139,445 10.11.1.5Scanning for SMB Vulnerabilities:
sudo nmap --script smb-vuln* 10.11.1.5
sudo nmap -v -p 139,445 --script=smb-vuln* --script-args=unsafe=1 10.11.1.5Scan for SMB Shares with Credentials (if known):
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p 445 10.11.1.0/24One-liner to Check Multiple SMB Vulnerabilities:
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10Full SMB Scan with OS Detection:
sudo nmap -A -p 135 --open 10.11.1.0/24 -oG nmap135Metasploit SMB Enumeration
Enumerating SMB Shares:
use auxiliary/scanner/smb/smb_enumsharesLookup SID Information:
use auxiliary/scanner/smb/smb_lookupsidBanner Grabbing
Using Netcat (nc) to Banner Grab on Port 135:
nc -nv 10.11.1.5 135CrackMapExec (CME) for SMB
Basic Command:
crackmapexec smb 10.11.1.128Using Credentials:
crackmapexec smb 10.11.1.128 -u 'username' -p 'password'Brute-Force SMB Login Using a Wordlist:
crackmapexec smb 10.11.1.128 -u "DJ" -p /usr/share/dirb/wordlists/mutations_common.txt
crackmapexec smb 10.11.1.136 -u root -p /usr/share/wordlists/rockyou.txtNull Session (No Username/Password):
crackmapexec smb 10.11.1.146 -u 'guest' -p '' # Null sessionListing Shares without Credentials:
crackmapexec smb 10.11.1.146 -u '' -p '' --sharesRPCClient (Null Session)
Connecting with Null Session:
rpcclient -U "" -N 10.11.1.5Ridenum - SMB Brute-Force (Dictionary-based)
Bruteforce SMB Users with Dictionary:
ridenum.py 10.10.10.10 500 50000 dict.txtNull Session
Windows Command (Net Use):
net use \\10.10.10.10\ "" /u:""inux Command (Smbclient):
smbclient -L //10.10.10.10Smbmap
Basic SMB Mapping Command:
smbmap -H 10.11.1.5 -P 135Login and Access Shares:
smbmap -u "root" -p "123456" -R Bob -H 10.11.1.136 -P 445Listing Shares:
smbclient -L 10.11.1.5Accessing a Share (guest access):
smbclient //10.11.1.5/guestUpload a File to Share:
smbmap -H //10.10.10.10/ --upload test.txt /SHARENAME/test.txtBruteforce SMB Login
Using Medusa for SMB Bruteforce:
medusa -h 10.11.1.111 -u redcliff -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbntUsing Nmap for SMB Bruteforce:
nmap -p445 --script smb-brute --script-args userdb=user.txt,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvvSmbget for Downloading SMB Shares
Recursive Download from SMB Share:
smbget -rR smb://192.168.101.83/sambashare -U guestEternalBlue Exploit (MS17-010)
Run EternalBlue Checker: Clone the repository from GitHub and run eternal_checker.py against the target:
https://github.com/3ndG4me/AutoBlue-MS17-010/blob/master/eternal_checker.pyMounting SMB Shares
Creating a Temporary Share Folder on Linux:
sudo mkdir /tmp/shareMount the SMB Share:
sudo mount -t cifs //10.11.1.146/SusieShare /tmp/shareLast updated