killchain-compendium/Enumeration/SMB.md

59 lines
1.3 KiB
Markdown
Raw Normal View History

2022-12-29 01:37:26 +01:00
# SMB
2023-08-31 01:33:59 +02:00
Start your enumeration with [enum4linux](https://github.com/CiscoCXSecurity/enum4linux.git) or alternative tools to get possible usernames and groups.
2022-12-29 01:37:26 +01:00
## SMBClient
* Use `smbclient` to list the share
```sh
smbclient -L //$TARGET_IP/
```
* The protocol might be dated, try
```sh
smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'
```
2022-11-13 22:52:30 +01:00
# smbmap
* [Repo](https://github.com/ShawnDEvans/smbmap.git)
* `python3 -m pip install -r requirements.txt`
# Usage
* `-x` execute command on server
* `-s` enumerate share
```sh
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
```
2023-04-17 22:49:17 +02:00
## Enumerate Domain Users
List users of the domain through leaked credentials of an SMB user
2023-08-31 01:33:59 +02:00
2023-04-17 22:49:17 +02:00
```sh
crackmapexec smb example.com -u lowperm_user -p 'securepassword!' --users
```
Continue trying the found password on the users discovered in the step before
2023-08-31 01:33:59 +02:00
2023-04-17 22:49:17 +02:00
```sh
crackmapexec smb example.com -u domain_users.txt -p 'securepassword!' --continue-on-success
```
## Enumerate Writeable SMB shares
List writeable SMB shares for found domain users via impacket's psexec
2023-08-31 01:33:59 +02:00
2023-04-17 22:49:17 +02:00
```sh
psexec.py example.com/domain.user@example.com
```
2023-08-31 01:33:59 +02:00
## Download Directories
Single files can be downloaded by any client like smbclient via `get`.
Directories can be downloaded via
```sh
smbget -R smb://$TARGET_IP/directory
```