Staphysec
  • StaphySec
  • Resources
  • Tricks
  • Brute Force - CheatSheet
  • File Transfer
    • Windows File Transfer
    • Linux File Transfer
    • HTTP/SMB/Nginx/Web Servers/Netcat
  • Hashcat
  • Cheatsheet
  • Curl
  • Tools
    • Cracking
    • Information Gathering
    • XSS
    • Obfuscation
    • Credentials Theft/ Win
    • Content Management Systems (CMS)
  • Programming and Scripting
    • Virtualenv & Switching Versions
    • Python
  • SHELLS
    • Shells (Linux, Windows, Msfvenom)
  • Linux
    • CheatSheet
    • EOP Linux Tools and Resources
    • Blogs
  • Windows
    • CheatSheet
    • EOP Windows Tools and Resources
    • Useful commands and Modules
    • Active Directory
      • Tools
  • Blogs
    • Miscellaneous resources
  • PENTESTING
    • 21 - Pentesting FTP
    • 22 - Pentesting SSH
    • 25,465,587 - Pentesting SMTP
    • 53 - Pentesting DNS
    • 110,995 - Pentesting POP
    • 135 - Pentesting WMI
    • 139,445 - SMB Pentesting
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
    • 623/UDP/TCP - IPMI
    • 1433 - Pentesting mssql
    • 2049 - NFS Pentesting
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 5985,5986 - WinRm
  • Pentesting Web
    • SQL Injections
      • MySQL injection
      • SQLmap Cheatsheet
    • Command injections
    • File Uploads
    • Abusing Intermediary Applications
    • HTTP Verb Tampering
    • IDOR
    • File Inclusion / Directory Traversal
    • XXE - XEE - XML External Entity
    • SSRF
    • SSI/ESI
    • SSTI (Server Side Template Injection)
    • XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
Powered by GitBook
On this page
  • Configuration File
  • Footprinting
  • RCP (Remote Procedure Call)
  • Brute Forcing users ID
  • Other Tools
  1. PENTESTING

139,445 - SMB Pentesting

Previous135 - Pentesting WMINext143,993 - Pentesting IMAP

Last updated 3 years ago

Configuration File

 cat /etc/samba/smb.conf | grep -v "#\|\;"   
 smbclient -N -L //10.129.14.128 # List server shares , null session (-N), which is anonymous access without the input of existing users or valid passwords
  smbclient //10.129.14.195/someshare

Footprinting 

sudo nmap 10.129.14.128 -sV -sC -p139,445
smbclient //<target>/<share$> -U username%password

RCP ()

A complete list of all these functions can be found on the of the rpcclient.

rpcclient -U "" 10.129.14.128
srvinfo 	#Server information.
enumdomains	#Enumerate all domains that are deployed in the network.
querydominfo	#Provides domain, server, and user information of deployed domains.
netshareenumall	#Enumerates all available shares.
netsharegetinfo #<share>	Provides information about a specific share.
enumdomusers	#Enumerates all domain users.
queryuser <RID>	#Provides information about a specific user.
querygroup <RID>

Brute Forcing users ID

for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Impacket - Samrdump.py

samrdump.py <IP>

Other Tools

 smbmap -H <IP>
 smbmap -H <IP> -u user -r --depth 5 # to list all the shares and files
 crackmapexec smb  <IP> --shares -u '' -p ''

This tool automates many of the queries, but not all, and can return a large amount of information.

git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt7
 ./enum4linux-ng.py  <IP> -A

We should always use more than one tools!

An alternative to this would be a Python script from called .

and tools are also widely used and helpful for the enumeration of SMB services.

tool worth mentioning is the so-called ,

Cheatsheet

Hacktricks
Remote Procedure Call
man page
Impacket
samrdump.py
SMBMap
CrackMapExec
enum4linux-ng
https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf