whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Enumeration/SMB.md

1.3 KiB
Raw Blame History

SMB

Start your enumeration with enum4linux or alternative tools to get possible usernames and groups.

SMBClient

  • Use smbclient to list the share
smbclient -L //$TARGET_IP/
  • The protocol might be dated, try
smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'

smbmap

  • Repo
  • python3 -m pip install -r requirements.txt

Usage

  • -x execute command on server
  • -s enumerate share
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'

Enumerate Domain Users

List users of the domain through leaked credentials of an SMB user

crackmapexec smb example.com -u lowperm_user -p 'securepassword!' --users

Continue trying the found password on the users discovered in the step before

crackmapexec smb example.com -u domain_users.txt -p 'securepassword!' --continue-on-success

Enumerate Writeable SMB shares

List writeable SMB shares for found domain users via impacket's psexec

psexec.py example.com/domain.user@example.com

Download Directories

Single files can be downloaded by any client like smbclient via get. Directories can be downloaded via

smbget -R smb://$TARGET_IP/directory