mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-10 05:34:12 +00:00
Create smb_enumeration_tips.md
This commit is contained in:
parent
6220ead01a
commit
a80d52b827
1 changed files with 116 additions and 0 deletions
116
recon/smb_enumeration_tips.md
Normal file
116
recon/smb_enumeration_tips.md
Normal file
|
@ -0,0 +1,116 @@
|
|||
## SMB NETBIOS Enumeration Tips
|
||||
|
||||
### Tool Tips
|
||||
|
||||
#### Enum4Linux
|
||||
```
|
||||
enum4linux x.x.x.x
|
||||
```
|
||||
|
||||
#### Nmap
|
||||
```
|
||||
nmap -v -p 139,445 -oG smb.txt 192.168.88.0-254
|
||||
```
|
||||
|
||||
#### nbtscan
|
||||
```
|
||||
nbtscan -r 192.168.11.0/24
|
||||
```
|
||||
|
||||
#### nmblookup
|
||||
```
|
||||
nmblookup -A target
|
||||
```
|
||||
#### smbclient
|
||||
```
|
||||
smbclient //192.168.31.147/karen -I 192.168.88.251
|
||||
```
|
||||
#### rpcclient
|
||||
```
|
||||
rpcclient -U "" 192.168.88.251 // connect as blank user /nobody
|
||||
```
|
||||
#### smbmap
|
||||
```
|
||||
smbmap -u "" -p "" -d MYGROUP -H 192.168.88.251
|
||||
```
|
||||
|
||||
## Metasploit
|
||||
|
||||
### SMB version
|
||||
```
|
||||
msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
|
||||
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.88.251
|
||||
RHOSTS => 192.168.31.142
|
||||
msf auxiliary(scanner/smb/smb_version) > run
|
||||
[*] 192.168.31.142:139 - Host could not be identified: Unix (Samba 2.2.1a)
|
||||
```
|
||||
### SMB brute force
|
||||
```
|
||||
use auxiliary/scanner/smb/smb_login
|
||||
```
|
||||
|
||||
### Existing users
|
||||
```
|
||||
msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid
|
||||
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142
|
||||
RHOSTS => 192.168.31.142
|
||||
msf auxiliary(scanner/smb/smb_lookupsid) > run
|
||||
[*] 192.168.31.142:139 - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - )
|
||||
[*] 192.168.31.142:139 - TYPE=0 NAME=Administrator rid=500
|
||||
|
||||
```
|
||||
### upload a file
|
||||
smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"
|
||||
|
||||
|
||||
## NMAP SMB scripts ==
|
||||
nmap --script smb-* --script-args=unsafe=1 192.168.10.55
|
||||
|
||||
```
|
||||
┌─[omar@websploit]─[~]
|
||||
└──╼ $ ls -lh /usr/share/nmap/scripts/smb*
|
||||
smb-brute.nse
|
||||
smb-enum-domains.nse
|
||||
smb-enum-groups.nse
|
||||
smb-enum-processes.nse
|
||||
smb-enum-sessions.nse
|
||||
smb-enum-shares.nse
|
||||
smb-enum-users.nse
|
||||
smb-flood.nse
|
||||
smb-ls.nse
|
||||
smb-mbenum.nse
|
||||
smb-os-discovery.nse
|
||||
smb-print-text.nse
|
||||
smb-psexec.nse
|
||||
smb-security-mode.nse
|
||||
smb-server-stats.nse
|
||||
smb-system-info.nse
|
||||
smb-vuln-conficker.nse
|
||||
smb-vuln-cve2009-3103.nse
|
||||
smb-vuln-ms06-025.nse
|
||||
smb-vuln-ms07-029.nse
|
||||
smb-vuln-ms08-067.nse
|
||||
smb-vuln-ms10-054.nse
|
||||
smb-vuln-ms10-061.nse
|
||||
smb-vuln-regsvc-dos.nse
|
||||
smbv2-enabled.nse
|
||||
```
|
||||
|
||||
### mount SMB shares in Linux
|
||||
```
|
||||
smbclient -L \\WIN7\ -I 192.168.13.218
|
||||
smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218
|
||||
smbclient -L \\WIN7\C$ -I 192.168.13.218
|
||||
smbclient -L \\WIN7\IPC$ -I 192.168.13.218
|
||||
smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB
|
||||
```
|
||||
|
||||
### mount SMB share to a afolder
|
||||
```
|
||||
mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP
|
||||
```
|
||||
|
||||
### mount SMB shares in Windows (via cmd)
|
||||
```
|
||||
net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES
|
||||
```
|
Loading…
Reference in a new issue