TCP: SMB - 139 / 445

Connection

impacket-smbexec [<Domain Name>/]<Username>[:<Password>]@<Target IP Address>
impacket-smbexec [<Domain Name>/]<Username>@<Target IP Address> -hashes :<NTLM Hash>
impacket-psexec [<Domain Name>/]<Username>[:<Password>]@<Target IP Address>
impacket-psexec [<Domain Name>/]<Username>@<Target IP Address> -hashes :<NTLM Hash>
impacket-wmiexec [<Domain Name>/]<Username>[:<Password>]@<Target IP Address>
impacket-wmiexec [<Domain Name>/]<Username>@<Target IP Address> -hashes :<NTLM Hash>

Enumeration

Identify Version

sudo nmap -p 139,445 -sV -Pn <Target IP Address>
tcpdump -i tun0 port <Port> and src <Target IP Address> -s0 -A -n 2>/dev/null & crackmapexec smb <Target IP Address> --shares --port <Port> 1>/dev/null 2>/dev/null

Nmap

nmap --script "safe or smb-enum-*" -p 445 <Target IP Address>
nmap --script "smb-vuln*" -p 139,445 <Target IP Address>

enum4linux

enum4linux -a <Target IP Address>
enum4linux -a <Target IP Address> -u <Username> -p <Password>

smbclient

Null Session

smbclient -N -L //<Target IP Address>

List all shares

smbclient -L //<Target IP Address>/

Connecting to the particular share

smbclient //<Target IP Address>/<Share Name>/ -U [<Domain Name>\]<Username>
smbclient //<Target IP Address>/<Share Name>/ -U [<Domain Name>\]<Username> --pw-nt-hash <NTLM Hash>

List shares permission

smbmap -H <Target IP Address>

smbget

Download target file

smbget smb://<Target IP Address>/<Share Name>/<File Name> [--user <Username>%<Password>]

Download target share

smbget -R smb://<Target IP Address>//<Share Name>

crackmapexec

Enumerate SMB shares

crackmapexec smb <Target IP Address> [--users | --shares]

Null Authentication

crackmapexec smb <Target IP Address> --shares -u ' ' -p ''
crackmapexec smb <Target IP Address> --shares -u '' -p ''

To test if can authenticate

crackmapexec smb <Target IP Address> -u ' ' -p ''

Guest authentication

crackmapexec smb <Target IP Address> -u 'guest' -p ''

Checking authentication

Local User Authentication

crackmapexec smb <Target IP Address> -u <Username> -p <Password> --local-auth

Domain User Authentication

crackmapexec smb <Target IP Address> -u <Domain Name>\\<Username> -p <Password>

Bruteforce

nxc

nxc smb <Target IP Address> -d <Domain Name> -u <Username List> -p <Password List> --continue-on-success
nxc smb <Target IP Address> -d <Domain Name> -u <Username List> -H <Hashes List> --continue-on-success

hydra

hydra -L <Username List> -P <Password List> -f smb://<Target IP Address> [-p <Port>]
hydra -l <Username> -p <Password> -f smb://<Target IP Address> [-p <Port>]
PreviousTCP: HTTP(S) - 80 / 443NextTCP: FTP - 21

Last updated