Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • NMAP Scripts
  • Enum4linux
  • SMBClient
  • SMBMAP
  • Crackmapexec
  • Mount SMB Share

Was this helpful?

  1. Services

SMB

SMB service can be used to enumerate users or important files that may be left unattended in one of the shares. It is important to be able to enumerate a SMB service properly to gather as much information as possible.

There are multiple protocols within SMB with SMB 2.0 the most widely used and SMB 3.0 being the latest entrant. CIFS is an early dialect of SMB and is not used anymore due to its complexity in maintenance and the security issues that come with it.

NMAP Scripts

Nmap scripts can be used for enumerating various information from an SMB service and also to scan them for vulnerabilities. A simple enumeration of the shares can be done using the following command,

nmap --script /usr/share/nmap/scripts/smb-enum-shares.nse 10.11.1.231

In the Kali operating system various scripts for enumerating and vulnerability scanning can be found under the path "/usr/share/nmap/scripts/".

Enum4linux

Enum4linux is another SMB enumeration tool that can be used for gathering information about the service. All encompassing scan can be done using the following command,

enum4linux -a 192.168.1.10

The "-a" flag will run all the tests with the SMB service and list all information collected.

U - This flag can be used to list the users on the server

S - This flag will list all the shares on the server

P - This flag displays the password policy

o - This flag gives information about the Operating System

l - This flag will provide limited information about the ldap service on the system

i - This flag will display an printer info that may be available

n - This flag lists the netbios information on the server

SMBClient

SMBClient can be used for interacting with the shares on the SMB server.

smbclient -L //192.168.1.10/
smbclient -L //192.168.1.10/ -U '' -N #for no username and null password
smbclient --no-pass -L 192.168.1.10
smbclient -L //192.168.1.10/ -U 'domain\user' -p 'password'

The following command can be used to access the available folders and files,

smbclient //192.168.1.10/home

Once within the command prompt of SMBclient, files can be downloaded, uploaded, permissions changed, etc. The following command is to download the file,

get <remote filename> <local filename>

While accessing Windows shares backward slash "\" have to be used and when using a Linux system to access the "\" has to be escaped with another "\". So the command may look like,

smbclient \\\\192.168.1.10\\home

SMBMAP

Another tool for accessing a SMB share,

smbmap -H 192.168.1.10
smbmap -H 192.168.1.10 -u '' -p ''
smbmap -H 192.168.1.10 -s share_name    //Access a share

Crackmapexec

Crackmapexec is a enumeration tool for various services and it can be used on an SMB share to get list of shared folders and validate whether a username & password is valid.

crackmapexec smb 192.168.1.10 -u '' -p '' --shares //The same can be tried with names & passwords
crackmapexec smb 192.168.1.10 -u '' -p '' --share share_name
crackmapexec smb 192.168.1.10 -u '' -p '' --shares --pass-pol

Mount SMB Share

Besides browsing through the files on the server, the share can also be mounted on the local machine and you can browse through the files like that of a NFS.

The following command can be used to mount the share on your local machine,

sudo mount -t cifs //10.1.1.68/IPC /mount/smb -o guest
sudo mount -t cifs //10.1.1.68/IPC /mount/smb -o username='test'

t - This option is used to indicate the type of filesystem.Supported filesystems are usually ext2, ext3, ext4, xfs, btrfs, vfat, sysfs, proc, nfs and cifs(Most commonly found).

PreviousQuick CommandsNextFind Server Version

Last updated 1 year ago

Was this helpful?