drwxr-xr-x 8 root root 4096 Dec 14 2017 Web Enumeration
drwxr-xr-x 8 root root 4096 Dec 14 2017 Linux PrivEsc
drwxr-xr-x 8 root root 4096 Mar 14 2020 DarkWebSMB
The text from this page can be cleanly downloaded to your terminal directly using the following command:
curl -s https://harfordcda.neocities.org/smb.html | sed 's/<[^>]*>//g ; /^$/d'| tr -s '\n' '\n' | sed -r /^r?$/dLinux PrivEscWeb EnumerationSearch SMB nmap scripts:
ls -la /usr/share/nmap/scripts | grep smb*
Check for vulns:
nmnap --script smb-vuln* -p 139,445
SMB Enumeration:
nmblookup -A ip
nbtstat -A ip
echo exit | smbclient -L \\\\ip
smbmap -u username -p password -H ip
nmap --script smb-enum-* -p 139,445 ip
enum4linux -r ip
####################################What about null Sessions on the SMB shares? Is anonymous access enabled?####################################
smbclient -L ip
smbmap -H ip -R
rpclient -U "" -N ip
smbclient -L \\\\ip\\share
enum4linux -r ip
####################################Can I enumerate users? Can I connect to an SMB share with an account?####################################
nmap -script smb-enum-users.nse -p445 ip
smbclient -L ip -U%
smbclient \\\\server\\share -U 'username%password'
From Windows:
net use \\ip\ipc$ "" /u:"
Connect to the RPC
rpclient -U "" -N ip
rpclient -U "username" [ip] #prompts for password
SAMBA rcpclient can be used to interact with RPC endpoints to enumerate users
querydispinfo and enumdomusers
queryuser [0xrid]
queryusergroups [0xrid]
lookupnames [username]
Brute Force SMB:
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist
pass_file => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set USER_file userlist
USER_file => userlist
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS [host]
run
nmap --script smb-brute -p 445 [ip]
hydra -l [username] -P /password/path [ip] smb -t 1