139,445 - SMB Pentesting

Hacktricks

Configuration File

 cat /etc/samba/smb.conf | grep -v "#\|\;"   
 smbclient -N -L //10.129.14.128 # List server shares , null session (-N), which is anonymous access without the input of existing users or valid passwords
  smbclient //10.129.14.195/someshare

Footprinting

sudo nmap 10.129.14.128 -sV -sC -p139,445
smbclient //<target>/<share$> -U username%password

RCP (Remote Procedure Call)

A complete list of all these functions can be found on the man page of the rpcclient.

rpcclient -U "" 10.129.14.128
srvinfo 	#Server information.
enumdomains	#Enumerate all domains that are deployed in the network.
querydominfo	#Provides domain, server, and user information of deployed domains.
netshareenumall	#Enumerates all available shares.
netsharegetinfo #<share>	Provides information about a specific share.
enumdomusers	#Enumerates all domain users.
queryuser <RID>	#Provides information about a specific user.
querygroup <RID>

Brute Forcing users ID

for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

An alternative to this would be a Python script from Impacket called samrdump.py.

Impacket - Samrdump.py

samrdump.py <IP>

Other Tools

SMBMap and CrackMapExec tools are also widely used and helpful for the enumeration of SMB services.

 smbmap -H <IP>
 smbmap -H <IP> -u user -r --depth 5 # to list all the shares and files
 crackmapexec smb  <IP> --shares -u '' -p ''

tool worth mentioning is the so-called enum4linux-ng,

This tool automates many of the queries, but not all, and can return a large amount of information.

git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt7
 ./enum4linux-ng.py  <IP> -A

We should always use more than one tools!

Cheatsheet https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf