The text from this page can be cleanly downloaded to your terminal directly using the following command:
curl -s https://harfordcda.neocities.org/smb.html | sed 's/<[^>]*>//g ; /^$/d'| tr -s '\n' '\n' | sed -r /^r?$/d
Linux PrivEsc
Web Enumeration
Search SMB nmap scripts:
ls -la /usr/share/nmap/scripts | grep smb*
Check for vulns:
nmnap --script smb-vuln* -p 139,445
SMB Enumeration:
nmblookup -A ip
nbtstat -A ip
echo exit | smbclient -L \\\\ip
smbmap -u username -p password -H ip
nmap --script smb-enum-* -p 139,445 ip
enum4linux -r ip
Is anonymous access enabled?
smbclient -L ip
What about Null Sessions on the SMB shares?
smbmap -H ip -R
rpclient -U "" -N ip
smbclient -L \\\\ip\\share
enum4linux -r ip
Enumerate Possible users?
nmap -script smb-enum-users.nse -p445 ip
smbclient -L ip -U%
Can I connect to an SMB share with an account:
smbclient \\\\server\\share -U 'username%password'
From windows:
net use \\ip\ipc$ "" /u:""
Connect to the RPC
rpclient -U "" -N ip
rpclient -U "username" [ip] #prompts for password
SAMBA rcpclient can be used to interact with RPC endpoints to enumerate users
querydispinfo and enumdomusers
queryuser [0xrid]
queryusergroups [0xrid]
lookupnames [username]
Brute Force SMB:
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist
pass_file => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set USER_file userlist
USER_file => userlist
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS [host]
run
nmap --script smb-brute -p 445 [ip]
hydra -l [username] -P /password/path [ip] smb -t 1