59 lines
1.3 KiB
Markdown
59 lines
1.3 KiB
Markdown
# SMB
|
|
|
|
Start your enumeration with [enum4linux](https://github.com/CiscoCXSecurity/enum4linux.git) or alternative tools to get possible usernames and groups.
|
|
|
|
## SMBClient
|
|
|
|
* Use `smbclient` to list the share
|
|
```sh
|
|
smbclient -L //$TARGET_IP/
|
|
```
|
|
* The protocol might be dated, try
|
|
```sh
|
|
smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'
|
|
```
|
|
|
|
# smbmap
|
|
|
|
* [Repo](https://github.com/ShawnDEvans/smbmap.git)
|
|
* `python3 -m pip install -r requirements.txt`
|
|
|
|
# Usage
|
|
* `-x` execute command on server
|
|
* `-s` enumerate share
|
|
|
|
```sh
|
|
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
|
|
```
|
|
|
|
## Enumerate Domain Users
|
|
|
|
List users of the domain through leaked credentials of an SMB user
|
|
|
|
```sh
|
|
crackmapexec smb example.com -u lowperm_user -p 'securepassword!' --users
|
|
```
|
|
|
|
Continue trying the found password on the users discovered in the step before
|
|
|
|
```sh
|
|
crackmapexec smb example.com -u domain_users.txt -p 'securepassword!' --continue-on-success
|
|
```
|
|
|
|
## Enumerate Writeable SMB shares
|
|
|
|
List writeable SMB shares for found domain users via impacket's psexec
|
|
|
|
```sh
|
|
psexec.py example.com/domain.user@example.com
|
|
```
|
|
|
|
## Download Directories
|
|
|
|
Single files can be downloaded by any client like smbclient via `get`.
|
|
Directories can be downloaded via
|
|
|
|
```sh
|
|
smbget -R smb://$TARGET_IP/directory
|
|
```
|