Pentester's Promiscuous Notebook
Blog
GitHub
Twitter
Search…
README
⚒️ Pentest
C2
Infrastructure
AD
ACL Abuse
AD CS Abuse
ADIDNS Abuse
Attack Trusts
AV / EDR Evasion
Authentication Coercion
Azure
Credentials Dump
DCSync
Delegation Abuse
Discovery
DnsAdmins
Dominance
GPO Abuse
Kerberos
Key Credentials Abuse
LAPS
Lateral Movement
LDAP
NTLM
Password Spraying
Post Exploitation
PrivExchange
Privileges Abuse
RID Cycling
Roasting
SCCM Abuse
SMB
RPC
Token Manipulation
User Hunt
WSUS
Zerologon
DevOps
DBMS
Authentication Brute Force
File Transfer
IPMI
Kiosk Breakout
Low-Hanging Fruits
LPE
Networks
NFS
Persistence
Pivoting
Post Exploitation
SNMP
TFTP
VNC
Misc
OSINT
Password Brute Force
Perimeter
Shells
Web
Wi-Fi
⚔️ Red Team
Basics
Cobalt Strike
Infrastructure
Malware Development
SE
⚙️ Admin
Git
Linux
Networking
Virtualization
Windows
Powered By
GitBook
SMB
Server Message Block
Check for SMB vulnerablities with Nmap:
$ sudo nmap -sV --script-args=unsafe=1 --script smb-os-discovery 10.10.13.37 -p139,445
$ sudo nmap -n -Pn -sV --script 'smb-vuln*' 10.10.13.37 -p445
Fingerprint
https://book.hacktricks.xyz/pentesting/pentesting-smb#smb-server-version
Enumerate SMB version for old versions of Samba (for security reasons modern clients will not initiate connection with legacy protocols in use):
$ sudo ngrep -i -d eth0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
$ echo exit | smbclient -N -L 10.10.13.37 --option='client min protocol=LANMAN1'
Mounting
Mount:
$ sudo mount -t cifs '//127.0.0.1/Users' /mnt/smb -v -o user=snovvcrash,[pass='Passw0rd!']
Status:
$ mount -v | grep 'type cifs'
$ df -k -F cifs
Unmount:
$ sudo umount /mnt/smb
SMB Share with Null Authentication
Create an SMB share allowing null authentication.
Linux
/etc/samba/smb.conf
[global]
map to guest = bad user
server role = standalone server
usershare allow guests = yes
smb ports = 445
[smb]
comment = Samba
path = /srv/smb
guest ok = yes
read only = no
browsable = yes
force user = nobody
$ sudo service smbd restart
$ sudo chown -R nobody:root /srv/smb/
$ sudo chmod -R 777 /srv/smb/
Windows
https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer
PS > mkdir C:\share
PS > icacls C:\share\ /T /grant Anonymous` logon:r
PS > icacls C:\share\ /T /grant Everyone:r
PS > New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f # this will overwrite existing NullSessionPipes
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
Hunt for Shares & Content
https://github.com/blacklanternsecurity/MANSPIDER
https://github.com/mitchmoser/SharpShares
https://github.com/SnaffCon/Snaffler
https://github.com/punk-security/SMBeagle
https://github.com/p0dalirius/FindUncommonShares
Tools
rpcclient
Check for null authentication:
$ rpcclient -N -L 127.0.0.1
With user creds:
$ rpcclient -U 'snovvcrash%Passw0rd!' 127.0.0.1
smbclient
Check for null authentication:
$ smbclient -N -L 127.0.0.1
$ smbclient -N '\\127.0.0.1\Data'
With user creds:
$ smbclient -U snovvcrash '\\127.0.0.1\Users' 'Passw0rd!'
Get all files recursively:
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
smbmap
$ smbmap -H 127.0.0.1
$ smbmap -H 127.0.0.1 -u anonymous
$ smbmap -H 127.0.0.1 -u '' -p ''
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName -A .
Previous
SCCM Abuse
Next
RPC
Last modified
27d ago
Copy link
Outline
Fingerprint
Mounting
SMB Share with Null Authentication
Linux
Windows
Hunt for Shares & Content
Tools
rpcclient
smbclient
smbmap