šŸ“‘
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Usage
  • Login
  • Commands
  • Download all
  • Fix problems with older samba versions
  • Enumeration
  • NetBIOS
  • Existing users
  • Anonymous login
  • Shares
  1. Networking
  2. Ports

139 445 - SMB

SMB Enumeration and login

Usage

Login

smbclient \\\\<ip>\\<share>                #anonymous
smbclient -L \\\\<ip>\\<share> -U ā€˜<user>ā€™ #with user

Commands

? <command>    displays a brief informative message about the specified command
! <command>    will execute a shell locally and run the specified command
cd <dir>       change the remote directory to the directory specified, if run with no args show current dir    
del <mask>     attempt to delete all files matching mask from the current working directory on the server
dir <mask>     retrieves a list of files matching mask in current directory
exit           terminate the connection with the server and exit from the program
get <file>     copy the selected file to local machine
help <comm>    same as ? <command>
lcd <dir>      set local machine working directory, if run with no args show current local working dir
lowercase      toggle lowercasing of file names for the get and mget commands
ls <mask>      same as dir <mask>
mask <mask>    set a mask to be used during recursive operations
md <dir>       create a new directory with the given name
mget <mask>    copy all files matching mask in current directory to local machine
mkdir <dir>    same as md <dir>
mput <mask>    copy all files matching mask in local directory to smb server
prompt         toggle user confirmation when copying multiple files
put <file>     upload a file to the remote server
pwd            print current server folder, same as cd with no args
quit           same as exit
rd <dir>       removes remote directory
recurse        toggle recurse for mget and mput commands, uses the mask specified by the mask command to match files
rm <mask>      removes all files matching mask in current dir
rmdir <dir>    same as rd <dir>

Download all

mask ""
recurse ON
prompt OFF
mget *

Fix problems with older samba versions

nano /etc/samba/smb.conf
#under global section add the following line
client min protocol = LANMAN1
#save and restart
service smbd restart

Enumeration

NetBIOS

nmblookup -A <IP>    #enumerate all from given IP
nbtstat <ip>
sudo nmap -sU -sV  --script nbstat.nse -p 137 -Pn -n <IP>

nmap -v -p 139,445 --script=smb-os-discovery <ip addr>    #OS
nmap --script smb-vuln* -p 139,445 <ip addr>              #vulnerabilities

Existing users

nmap --script smb-enum-users.nse -p445 <ip>
nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <ip>

Anonymous login

smbclient -N -L \\<ip>
rpcclient -N -L <ip>

Shares

smbmap -H <ip>                                  #anonymous access
echo exit | smbclient -L \\\\<ip>               #anonymous access
bmap -H <ip> -u <root or username> -p ''        #user with empty password
smbmap -H <ip> -u <root or username> -p <pass>  #with user
nmap --script smb-enum-shares -p 139,445 <ip>
Previous389 - LDAPNext873 - Rsync

Last updated 2 years ago