SMB
Port: 445Protocol:tcp
Table of content
Smbmap
Perform auto-enumeration with smbmap
apt-get install smbmap
smbmap -H ${ip} -u ${user}
Use null to test anonymous access
SMBClient
Use SMBClient to access to remote SMB share
# List exposed share
smbclient -m ${smbVersion} -L \\\\${ip}/
# Access to the share
smbclient -m ${smbVersion} \\\\${ip}\\${shareName}
Parse all shares
Use Snaffler to automatize file share parsing
.\Snafller.exe -o ${logFile} -s -v Data -d ${domainName} -c ${dcIp}
Eternalblue
WinXP: https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/- https://root4loot.com/post/eternalblue_manual_exploit/
- https://github.com/worawit/MS17-010
Samba
Get version
The Samba version can be retrieved through the packet exchanged on port 139.
# In one terminal
ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
# On another one
smbclient -L ${ip}
# Exemple of output :
#####################
# T 192.168.119.136:59244 -> 10.11.1.136:139 [AP] #20
# .....SMBr.....C......................j..MICROSOFT NETWORKS 3.0..LANMAN1.0..LM1.2X002..DOS LANMAN2.1..LANMAN2.1..Samba..NT LANMAN 1.0..NT LM 0.12.
####
# T 10.11.1.136:139 -> 192.168.119.136:59244 [AP] #24
# ...f.SMBs..................................=..U.n.i.x...S.a.m.b.a. .3...0...2.4...T.H.I.N.C...L.O.C.A.L...
#!/bin/sh
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""
Run the script as :
script.sh ${ip}