mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
Merge pull request #6 from maxkleinke/master
enhancement: pentesting smb (manually test for windows smb shares)
This commit is contained in:
commit
0d14187b51
1 changed files with 49 additions and 0 deletions
|
@ -189,6 +189,55 @@ smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recur
|
|||
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash
|
||||
```
|
||||
|
||||
### **Manually enumerate windows shares and connect to them**
|
||||
|
||||
It may be possible that you are restricted to display any shares of the host machine and when you try to list them it appears as if there aren't any shares to connect to. Thus it might be worth a short to try to manually connect to a share. To enumerate the shares manually you might want to look for responses like NT_STATUS_ACCESS_DENIED and NT_STATUS_BAD_NETWORK_NAME, when using a valid session \(e.g. null session or valid credentials\). These may indicate whether the share exists and you do not have access to it or the share does not exist at all.
|
||||
|
||||
Common share names for windows targets are
|
||||
|
||||
* C$
|
||||
* D$
|
||||
* ADMIN$
|
||||
* IPC$
|
||||
* PRINT$
|
||||
* FAX$
|
||||
* SYSVOL
|
||||
* NETLOGON
|
||||
|
||||
\(Common share names from _**Network Security Assessment 3rd edition**_\)
|
||||
|
||||
You can try to connect to them by using the following command
|
||||
|
||||
```bash
|
||||
smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
|
||||
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)
|
||||
```
|
||||
or this script \(using a null session\)
|
||||
|
||||
```bash
|
||||
#/bin/bash
|
||||
|
||||
ip='<TARGET-IP-HERE>'
|
||||
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')
|
||||
|
||||
for share in ${shares[*]}; do
|
||||
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')
|
||||
|
||||
if [[ -z $output ]]; then
|
||||
echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
|
||||
else
|
||||
echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
|
||||
fi
|
||||
done
|
||||
|
||||
```
|
||||
|
||||
examples
|
||||
|
||||
```bash
|
||||
smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
|
||||
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
|
||||
```
|
||||
### Mount a shared folder
|
||||
|
||||
```bash
|
||||
|
|
Loading…
Reference in a new issue