Create smb_enumeration_tips.md

2024-07-01 00:41:17 +00:00 · 2021-07-18 23:48:12 -04:00 · 2021-07-18 23:48:12 -04:00 · a80d52b827
commit a80d52b827
parent 6220ead01a
1 changed files with 116 additions and 0 deletions
--- a/recon/smb_enumeration_tips.md
+++ b/recon/smb_enumeration_tips.md
@ -0,0 +1,116 @@
+## SMB NETBIOS Enumeration Tips
+
+### Tool Tips
+
+#### Enum4Linux
+```
+enum4linux x.x.x.x
+```
+
+#### Nmap
+```
+nmap -v -p 139,445 -oG smb.txt 192.168.88.0-254
+```
+
+#### nbtscan
+```
+nbtscan -r 192.168.11.0/24
+```
+
+#### nmblookup
+```
+nmblookup -A target
+```
+#### smbclient
+```
+smbclient //192.168.31.147/karen -I 192.168.88.251
+```
+#### rpcclient
+```
+rpcclient -U "" 192.168.88.251 // connect as blank user /nobody
+```
+#### smbmap
+```
+smbmap -u "" -p "" -d MYGROUP -H 192.168.88.251
+```
+
+## Metasploit 
+
+### SMB version
+```
+msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
+msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.88.251
+RHOSTS => 192.168.31.142
+msf auxiliary(scanner/smb/smb_version) > run
+[*] 192.168.31.142:139    - Host could not be identified: Unix (Samba 2.2.1a)
+```
+### SMB brute force
+```
+use auxiliary/scanner/smb/smb_login
+```
+
+### Existing users
+```
+msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid
+msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142
+RHOSTS => 192.168.31.142
+msf auxiliary(scanner/smb/smb_lookupsid) > run
+[*] 192.168.31.142:139    - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - )
+[*] 192.168.31.142:139    - TYPE=0 NAME=Administrator rid=500
+
+```
+### upload a file
+smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"
+
+
+## NMAP SMB scripts ==
+nmap --script smb-* --script-args=unsafe=1 192.168.10.55 
+
+```
+┌─[omar@websploit]─[~]
+└──╼ $  ls -lh /usr/share/nmap/scripts/smb*	
+smb-brute.nse
+smb-enum-domains.nse
+smb-enum-groups.nse
+smb-enum-processes.nse
+smb-enum-sessions.nse
+smb-enum-shares.nse
+smb-enum-users.nse
+smb-flood.nse
+smb-ls.nse
+smb-mbenum.nse
+smb-os-discovery.nse
+smb-print-text.nse
+smb-psexec.nse
+smb-security-mode.nse
+smb-server-stats.nse
+smb-system-info.nse
+smb-vuln-conficker.nse
+smb-vuln-cve2009-3103.nse
+smb-vuln-ms06-025.nse
+smb-vuln-ms07-029.nse
+smb-vuln-ms08-067.nse
+smb-vuln-ms10-054.nse
+smb-vuln-ms10-061.nse
+smb-vuln-regsvc-dos.nse
+smbv2-enabled.nse
+```
+
+### mount SMB shares in Linux
+```
+smbclient -L \\WIN7\ -I 192.168.13.218
+smbclient -L \\WIN7\ADMIN$  -I 192.168.13.218
+smbclient -L \\WIN7\C$ -I 192.168.13.218
+smbclient -L \\WIN7\IPC$ -I 192.168.13.218
+smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB
+```
+
+### mount SMB share to a afolder
+```
+mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP
+```
+
+### mount SMB shares in Windows (via cmd)
+```
+net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES
+```