Table of contents

Service discovery

  • With nmap
    nmap -sV -p 139,445 10.0.0.0/24
    nmap --script smb-vuln* 10.0.0.1
  • With nbtscan
    nbtscan 10.0.0.0/24

Information gathering

  • With enum4linux (smbclient+rpcclient+net+nmblookup)
    • Works thanks to a null session
    • Get password policies
    • Get usernames + group names + machine names (and SID)
      enum4linux -a 10.0.0.1
  • With smbmap
    • Available shares and permissions
      smbmap -H 10.0.0.1
      smbmap -H 10.0.0.1 -d domain.local -u john -p s3cr3t
  • With smbclient
    • Available shares and comments
      smbclient -L 10.0.0.1
    • Access a share in a ftp-like interface
      • cd / ls / get / put
        smbclient //10.0.0.1/tmp
  • With rpcclient
    • Anonymous bind
      rpcclient -U '' -N 10.0.0.1
    • Enumerate users
      > enumdomusers
    • User info
      > queryuser 0x500
  • With msfconsole
    • Enumerate shares
      use auxiliary/scanner/smb/smb_enumshares
    • Enumerate users
      use auxiliary/scanner/smb/smb_enumusers
    • Find cpassword in SYSVOL share
      use auxiliary/scanner/smb/smb_enum_gpp
    • Vulnerable against ms17-010?
      use auxiliary/scanner/smb/smb_ms17_010