cyber-security-resources/recon/smb_enumeration_tips.md

## SMB NETBIOS Enumeration Tips

### Tool Tips

#### Enum4Linux
```
enum4linux x.x.x.x
```

#### Nmap
```
nmap -v -p 139,445 -oG smb.txt 192.168.88.0-254
```

#### nbtscan
```
nbtscan -r 192.168.11.0/24
```

#### nmblookup
```
nmblookup -A target
```
#### smbclient
```
smbclient //192.168.31.147/karen -I 192.168.88.251
```
#### rpcclient
```
rpcclient -U "" 192.168.88.251 // connect as blank user /nobody
```
#### smbmap
```
smbmap -u "" -p "" -d MYGROUP -H 192.168.88.251
```

## Metasploit 

### SMB version
```
msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.88.251
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_version) > run
[*] 192.168.31.142:139    - Host could not be identified: Unix (Samba 2.2.1a)
```
### SMB brute force
```
use auxiliary/scanner/smb/smb_login
```

### Existing users
```
msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_lookupsid) > run
[*] 192.168.31.142:139    - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - )
[*] 192.168.31.142:139    - TYPE=0 NAME=Administrator rid=500

```
### upload a file
smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"


## NMAP SMB scripts ==
nmap --script smb-* --script-args=unsafe=1 192.168.10.55 

```
┌─[omar@websploit]─[~]
└──╼ $  ls -lh /usr/share/nmap/scripts/smb*	
smb-brute.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-ls.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-print-text.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smb-vuln-conficker.nse
smb-vuln-cve2009-3103.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-regsvc-dos.nse
smbv2-enabled.nse
```

### mount SMB shares in Linux
```
smbclient -L \\WIN7\ -I 192.168.13.218
smbclient -L \\WIN7\ADMIN$  -I 192.168.13.218
smbclient -L \\WIN7\C$ -I 192.168.13.218
smbclient -L \\WIN7\IPC$ -I 192.168.13.218
smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB
```

### mount SMB share to a afolder
```
mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP
```

### mount SMB shares in Windows (via cmd)
```
net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES
```
Create smb_enumeration_tips.md 2021-07-18 23:48:12 -04:00			`## SMB NETBIOS Enumeration Tips`

			`### Tool Tips`

			`#### Enum4Linux`
			```
			`enum4linux x.x.x.x`
			```

			`#### Nmap`
			```
			`nmap -v -p 139,445 -oG smb.txt 192.168.88.0-254`
			```

			`#### nbtscan`
			```
			`nbtscan -r 192.168.11.0/24`
			```

			`#### nmblookup`
			```
			`nmblookup -A target`
			```
			`#### smbclient`
			```
			`smbclient //192.168.31.147/karen -I 192.168.88.251`
			```
			`#### rpcclient`
			```
			`rpcclient -U "" 192.168.88.251 // connect as blank user /nobody`
			```
			`#### smbmap`
			```
			`smbmap -u "" -p "" -d MYGROUP -H 192.168.88.251`
			```

			`## Metasploit`

			`### SMB version`
			```
			`msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version`
			`msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.88.251`
			`RHOSTS => 192.168.31.142`
			`msf auxiliary(scanner/smb/smb_version) > run`
			`[*] 192.168.31.142:139 - Host could not be identified: Unix (Samba 2.2.1a)`
			```
			`### SMB brute force`
			```
			`use auxiliary/scanner/smb/smb_login`
			```

			`### Existing users`
			```
			`msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid`
			`msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142`
			`RHOSTS => 192.168.31.142`
			`msf auxiliary(scanner/smb/smb_lookupsid) > run`
			`[*] 192.168.31.142:139 - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - )`
			`[*] 192.168.31.142:139 - TYPE=0 NAME=Administrator rid=500`

			```
			`### upload a file`
			`smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"`


			`## NMAP SMB scripts ==`
			`nmap --script smb-* --script-args=unsafe=1 192.168.10.55`

			```
			`┌─[omar@websploit]─[~]`
			`└──╼ $ ls -lh /usr/share/nmap/scripts/smb*`
			`smb-brute.nse`
			`smb-enum-domains.nse`
			`smb-enum-groups.nse`
			`smb-enum-processes.nse`
			`smb-enum-sessions.nse`
			`smb-enum-shares.nse`
			`smb-enum-users.nse`
			`smb-flood.nse`
			`smb-ls.nse`
			`smb-mbenum.nse`
			`smb-os-discovery.nse`
			`smb-print-text.nse`
			`smb-psexec.nse`
			`smb-security-mode.nse`
			`smb-server-stats.nse`
			`smb-system-info.nse`
			`smb-vuln-conficker.nse`
			`smb-vuln-cve2009-3103.nse`
			`smb-vuln-ms06-025.nse`
			`smb-vuln-ms07-029.nse`
			`smb-vuln-ms08-067.nse`
			`smb-vuln-ms10-054.nse`
			`smb-vuln-ms10-061.nse`
			`smb-vuln-regsvc-dos.nse`
			`smbv2-enabled.nse`
			```

			`### mount SMB shares in Linux`
			```
			`smbclient -L \\WIN7\ -I 192.168.13.218`
			`smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218`
			`smbclient -L \\WIN7\C$ -I 192.168.13.218`
			`smbclient -L \\WIN7\IPC$ -I 192.168.13.218`
			`smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB`
			```

			`### mount SMB share to a afolder`
			```
			`mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP`
			```

			`### mount SMB shares in Windows (via cmd)`
			```
			`net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES`
			```