SMB OSCP

  • Post author:
  • Post category:OSCP

Use Nmap to Scan host for smb exploits

sudo nmap –scripts=smb-vul* <IP Address>

sudo nmap –script=smb-enum* <IP Address>

nmap -v -p 139, 445 –script=smb-os-discovery 10.11.1.227

SMB Version

Windows version

CIFS

Microsoft Windows NT 4.0

SMB 1.0

Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2

SMB 2.0

Windows Vista & Windows Server 2008

SMB 2.1

Windows 7 and Windows Server 2008 R2

SMB 3.0

Windows 8 and Windows Server 2012

SMB 3.0.2

Windows 8.1 and Windows Server 2012 R2

SMB 3.1.1

Windows 10 and Windows Server 2016

To be able to download all files on a smb share.

smbclient ‘\\server\share
mask “”
recurse ON
prompt OFF
cd ‘path\to\remote\dir’
mget *

Rpcclient is a good tool for enumerating smb

# The -U is used for null username

Rpcclient -U ” 10.11.1.17

rpcclient $> querydomainfo

command not found: querydomainfo

rpcclient $> querydominfo

Domain:                WORKGROUP

Server:                LUCKY

Comment:        lucky server (Samba, Ubuntu)

Total Users:        0

Total Groups:        0

Total Aliases:        0

Sequence No:        1608749220

Force Logoff:        -1

Domain Server State:        0x1

Server Role:        ROLE_DOMAIN_PDC

Unknown 3:        0x1

# Used to retrieve list of users present on the system

rpcclient $> enumdomusers

# Used to query user info

rpcclient $> queryuser [username]

rpcclient $> enum 
enumalsgroups 
enumtrust 
enumdata 
enumdataex 
enumdomains 
enumdomgroups 
enumdomusers 
enumdrivers 
enumforms 
enumjobs 
enumkey 
enummonitors 
enumports 
enumprinters 
enumprivs 
enumprocdatatypes 
enumprocs

Scan netbios information on host

sudo nbtscan -r <IP ADDRESS>

enum4linux – SMB shares can be enumerated via enum4linux.

enum4linux [IP]

List SMB shares on host

smbmap -H 10.10.10.100

Start Simple smb share using python

python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools .

Python2 /usr/share/doc/python3-impacket/examples/smbserver.py tools .

python smbserver.py share /home/kali/FTP

Samba Client connection from Linux

smbclient -L \\\\10.10.10.4\\

smbclient //10.10.10.100/Replication