445-SMB-139
Port 139 is used for file and printer sharing over NetBIOS, running over TCP/IP. On the other hand, port 445 is used for direct SMB communications without the need for NetBIOS.
Crackmapexec
https://github.com/byt3bl33d3r/CrackMapExec.git
apt-get install -y libssl-dev libffi-dev python-dev build-essential
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install
poetry run crackmapexec
crackmapexec smb 10.129.230.181 --shares
crackmapexec smb 10.129.230.181 --shares -u '' -p ''
cme smb IP -u kaorz -p password --shares -M spider_plus
Smbmap
-d [domain name]
//lmhash doesnot need hashid.
smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -H 10.129.218.32 --download alice/my_private_key.ppk
Smbclient
https://github.com/ShawnDEvans/smbmap.git
//anonymous login
smbclient -N //IP/support-tools
//valid
smbclient -L \\\\IP\\ -U admin
smbclient \\\\IP\\public -U admin
//Connecting to the Share
smbclient -N -L //10.129.14.128
> recurse ON [**`get`, `mget`, `put`, `mput`, `del`, `mdir`, etc.) to specify whether the command should operate recursively on directories**]
> prompt [Disable interactive prompts for multiple file downloads]
> mget *
> dir /?
Smbcalcs
Set or get ACLs on an NT file or directory names
smbcacls -N '//10.129.216.197/Department Shares' Users
for i in $(ls); do echo $i; smbcacls -N '//10.129.216.197/Department Shares' $i; done
[Inheritance rights may precede either perm form:] (I)
- Inherit. ACE inherited from the parent container. alice create the file alice will get r&w no need to set it. (OI)`` - Object inherit. Objects in this container will inherit this ACE. Applies only to directories.
(CI)- Container inherit. Containers in this parent container will inherit this ACE. Applies only to directories.
(IO)- Inherit only. ACE inherited from the parent container, but does not apply to the object itself. Applies only to directories.
(NP)` - Do not propagate inherit. ACE inherited by containers and objects from the parent container, but does not propagate to nested containers. Applies only to directories.
Enum4linux-ng
https://github.com/cddmp/enum4linux-ng
git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt
./enum4linux-ng.py 10.129.14.128 -A
Rpcclient
rpcclient -U "" 10.129.14.128
//enum
srvinfo //Server information.
enumdomains //Enumerate all domains that are deployed in the network.
querydominfo //Provides domain, server, and user information of deployed domains.
netshareenumall //Enumerates all available shares.
netsharegetinfo <share> //Provides information about a specific share.
enumdomusers //Enumerates all domain users.
queryuser <RID> //Provides information about a specific user.
Brute Forcing user RIDs
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
https://www.hackingarticles.in/impacket-guide-smb-msrpc/ or [[Impacket Guide SMB_MSRPC]]
Basic of SMB
[+] Basic details
cat /etc/samba/smb.conf | grep -v "#\|\;"
smbstatus
[+ enumeration smb]
sudo nmap 10.129.14.128 -sV -sC -p139,445
WSMAN after SMB
https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell.rb
if winrm/wsman open. to get a shell
Last updated