AKUMA
  • README 🥷🏽
  • Red Teaming 👹
    • Loading 50% 😒
  • 👿BLUE TEAM
    • YARA rules
  • 📦Containers
    • DOCKER
      • Docker Security & Pentesting
        • Commond Docker error
      • 8 Best Practices for Docker Host Security
  • Windows Hardening 🛡️
    • Windows Active Directory Pentesting
      • Dll Hijacking
      • MSDT - Microsoft Support Diagnostic Tool Vulnerability
      • AD Enumeration TOOL
      • AD Certificate Templates
      • Kerberos Delegation
    • Windows Security Controls
      • Applocker Basics
    • Powershell Cheat sheet
    • AMSI Bypass
  • Linux Hardening 🛡️
    • Page 1
  • Network Services Pentesting
    • Footprinting Cheat sheet
      • 21-FTP
      • 161-SNMP
      • 445-SMB-139
      • 2049-NFS
      • 53-DNS
      • 587-SMTP
      • 143-IMAP/POP3
    • Juicy Curl
  • Pentesting Web
    • 100 Web Vulnerabilities, categorized into various types
    • Deserialization
      • Node.js Deserialization
    • SHODAN DORK
    • Vulnerabilities PAYLOADS
      • Directory Traversal Payload
      • Html-Injection-Read-FIle
      • Html-Injection
      • OS-Command-Injection
      • SQL-Injection-Auth-Bypass
      • PHP-Code-Injection
      • SQL-Injection
      • SSRF Basic
      • SSRF
      • XML-External-Entity
      • XSLT (eXtensible Stylesheet Language Transformations)
      • XSS Cheat Sheet
        • XSS
        • XSS -
        • XSS-polyglots
        • Cloudflare's XSS protection
    • Base Information
      • File-Extension-Inclusion
        • File-Inclusion-Windows
        • File-Inclusion-Linux
        • File-Extension
      • Media-Type-(MIME)
      • Windows-Sensitive-Files
      • Linux-Sensitive-Files
      • Linux-Log-Files
  • Blogs
    • How I Passed HTB Certified Penetration Testing Specialist
    • A comparative analysis of Open Source Web Application vulnerability scanners (Rana Khalil)
    • Sean Metcalfe Path for AD
    • Secure Docker - HackerSploit
  • Projects
    • HOME LAB
      • HOME LAB Blogs | Active Directory
        • Active Directory Lab Setup - 101
        • Active Directory Lab Setup - 102
        • Active Directory Lab Setup [ AD Enumeration ] - 103
        • Active Directory Lab Setup [AD Attacks ] - 104
      • Home Lab | Splunk Setup & Configuration
    • HOSTING A WEBSITE AND HARDENING ITS SECURITY
  • CTF- Writeups/ Solutions
    • HTB - Advanced Labs
      • Fortress
        • Jet
        • Akerva
        • Context
        • Synacktv
        • Faraday
        • AWS
      • Endgames
        • Ascension
        • RPG
        • Hades
        • Xen
        • P.O.O.
    • idekCTF 2024 🚩
    • TFC CTF 2024 🏳
    • DeadSec CTF 2024 🏴
      • Bing2 (web)
      • Mic_check (misc)
      • Windows Server (OSINT)
    • ImaginaryCTF 2024 🚩
      • cartesian-1 [Forensics]
      • packed [FORENSICS]
      • bom [FORENSICS]
      • BANK [MISC]
    • NahamCon CTF 2024 🏳
      • all WARMUPs
      • Base3200
      • The Hacker Webstore
      • iDoor
      • All About Robots
      • Thomas DEVerson
      • Helpful Desk
      • Curly Fries
    • Cyber Apocalypse 2024: Hacker Royale 🏴
      • Unbreakable [MISC]
      • StopDropAndRoll [MISC]
      • Character [MISC]
      • Delulu [pwn]
      • Tutorial [pwn]
      • Maze [Hardware]
      • TimeKORP [web]
  • Tools
    • Content Discovery & Form Manipulation
      • ffuf
      • RustScan
      • Feroxbuster
      • Dirsearch
      • Gobuster
      • Wfuzz
      • Webshell
      • websocket
Powered by GitBook
On this page
  • Crackmapexec
  • Smbmap
  • Smbclient
  • Smbcalcs
  • Enum4linux-ng
  • Rpcclient
  • Brute Forcing user RIDs
  1. Network Services Pentesting
  2. Footprinting Cheat sheet

445-SMB-139

Port 139 is used for file and printer sharing over NetBIOS, running over TCP/IP. On the other hand, port 445 is used for direct SMB communications without the need for NetBIOS.

Mount SMB shares

SMB enum cheat sheet 0xdf

Crackmapexec

https://github.com/byt3bl33d3r/CrackMapExec.git

apt-get install -y libssl-dev libffi-dev python-dev build-essential
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install
poetry run crackmapexec
crackmapexec smb 10.129.230.181 --shares
crackmapexec smb 10.129.230.181 --shares -u '' -p ''
cme smb IP -u kaorz -p password --shares -M spider_plus

Smbmap

-d [domain name]
//lmhash doesnot need hashid.
smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -H 10.129.218.32 --download alice/my_private_key.ppk

Smbclient

https://github.com/ShawnDEvans/smbmap.git

//anonymous login
smbclient -N //IP/support-tools

//valid
smbclient -L \\\\IP\\ -U admin
smbclient  \\\\IP\\public -U admin


//Connecting to the Share
smbclient -N -L //10.129.14.128

> recurse ON    [**`get`, `mget`, `put`, `mput`, `del`, `mdir`, etc.) to specify whether the command should operate recursively on directories**]
> prompt          [Disable interactive prompts for multiple file downloads]
> mget *
> dir /?

Smbcalcs

Set or get ACLs on an NT file or directory names

smbcacls -N '//10.129.216.197/Department Shares' Users

for i in $(ls); do echo $i; smbcacls -N '//10.129.216.197/Department Shares' $i; done

[Inheritance rights may precede either perm form:] (I) - Inherit. ACE inherited from the parent container. alice create the file alice will get r&w no need to set it. (OI)`` - Object inherit. Objects in this container will inherit this ACE. Applies only to directories. (CI)- Container inherit. Containers in this parent container will inherit this ACE. Applies only to directories. (IO)- Inherit only. ACE inherited from the parent container, but does not apply to the object itself. Applies only to directories. (NP)` - Do not propagate inherit. ACE inherited by containers and objects from the parent container, but does not propagate to nested containers. Applies only to directories.

Enum4linux-ng

https://github.com/cddmp/enum4linux-ng

git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt
./enum4linux-ng.py 10.129.14.128 -A

Rpcclient

rpcclient -U "" 10.129.14.128

//enum
srvinfo 	//Server information.
enumdomains 	//Enumerate all domains that are deployed in the network.
querydominfo 	//Provides domain, server, and user information of deployed domains.
netshareenumall 	//Enumerates all available shares.
netsharegetinfo <share> 	//Provides information about a specific share.
enumdomusers 	//Enumerates all domain users.
queryuser <RID> 	//Provides information about a specific user.

Brute Forcing user RIDs

for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

https://www.hackingarticles.in/impacket-guide-smb-msrpc/ or [[Impacket Guide SMB_MSRPC]]

Basic of SMB

[+] Basic details

cat /etc/samba/smb.conf | grep -v "#\|\;" 

smbstatus

[+ enumeration smb]

sudo nmap 10.129.14.128 -sV -sC -p139,445

WSMAN after SMB

https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell.rb

if winrm/wsman open. to get a shell

Previous161-SNMPNext2049-NFS

Last updated 9 months ago