Select a result to preview
SMB is the Windows implementation of a file share. SMB stands for Server Message Block. SMB uses port 445 (TCP), originally ran on NetBIOS port 139. SAMBA is the Linux implementation of SMB, allowing Windows systems to access Linux shares/devices. We can use auxiliary modules to enumerate SMB version, shares, users, and perform brute-force attacks.
# Guest user
smbmap -u guest -p "" -d . -H (IPaddress)
# Administrator
smbmap -u administrator -p smbserver_771 -d . -H (IPaddress)
# List the drives
smbmap -H (IPaddress) -u (username) -p ('password') -L
# List files in C drive
smbmap -H (IPaddress) -u (username) -p ('') -r 'C
**Create and upload a file:**
$ ls
$ touch backdoor
$ smbmap -H (IPaddress) -u (username) -p ('password') --upload '/root/backdoor' 'C$\backdoor'
**Download a file:**
smbmap -H (IPaddress) -u (username) -p ('password') --download 'C$\filename'
## SMB: Samba
nmap -sS (IPaddress)
nmap -sU --top-ports 25 (IPaddress)
nmap -sV -p445 (IPaddress)
nmap (IPaddress) -p 445 --script smb-os-discovery
**Using Metasploit:**
msfconsole
use auxiliary/scanner/smb/smb_version
show options
set RHOSTS (IPaddress)
run
exploit
**Other utilities:**
nmblookup -A (IPaddress)
smbclient -L (IPaddress) -N
rpcclient -U "" -N (IPaddress)
getusername
## SMB: Samba (2)
rpcclient -U "" -N (IPaddress)
enum4linux -o (IPaddress)
smbclient -L (IPaddress) -N
msfconsole
use auxiliary/scanner/smb/smb2
set RHOST (IPaddress)
exploit
**List all users:**
nmap --script smb-enum-users.nse -p445 (IPaddress)
msfconsole
use auxiliary/scanner/smb/smb_enumusers
set RHOST (IPaddress)
exploit
enum4linux -U (IPaddress)
rpcclient -U "" -N (IPaddress)
enumdomusers
**Find SID of admin:**
rpcclient -U "" -N (IPaddress)
lookupnames admin
## SMB: Samba (3)
nmap (IPaddress) --script smb-enum-shares -p445
msfconsole
use auxiliary/scanner/smb/smb_enumshares
set RHOSTS (IPaddress)
exploit
enum4linux -S (IPaddress)
smbclient -L (IPaddress) -N
enum4linux -G (IPaddress)
rpcclient -U "" -N (IPaddress)
enumdomgroups
enum4linux -i (IPaddress)
## Samba Recon: Dictionary Attack
**Using Metasploit:**
msfconsole
use auxiliary/scanner/smb/smb_login
set PASS_FILE (location of the file)
set SMBUser (username)
set RHOST (IPaddress)
exploit
**Using Hydra:**
gzip -d (location)
hydra -l admin -P (location) (IPaddress) smb
**List available named pipes:**
msfconsole
use auxiliary/scanner/smb/pipe_auditor
set SMBUser admin
set SMBPass (password)
set RHOST (IPaddress)
exploit
## SMB Enumeration
nmap -sV -sC -p 445 10.0.22.85
Host script results:
**Using a Metasploit module to obtain the exact SMB version:**
msfconsole
use auxiliary/scanner/smb/smb_version
set RHOSTS 10.0.22.85
run
msf6 auxiliary(scanner/smb/smb_version) > run
[] 10.0.22.85:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:23m 42s) (guid:{6c52a4f5-98fb-49a5-89c7-1440654d62e7}) (authentication domain:VAGRANT-2008R2)
[+] 10.0.22.85:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:VAGRANT-2008R2) (workgroup:WORKGROUP)
[] 10.0.22.85: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) > hosts
exit
## External Sources
- [Microsoft SMB Protocol Overview](https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview)
## Visual Diagram
```mermaid
flowchart TD
A[445 Open]-->B[SMB Version]
B-->C[Shares]
C-->D[Users/Groups]
D-->E[Credential/Exploit Decision]
**Create and upload a file:**
{{CODE_BLOCK_1}}
**Download a file:**
{{CODE_BLOCK_2}}
## SMB: Samba
{{CODE_BLOCK_3}}
**Using Metasploit:**
{{CODE_BLOCK_4}}
**Other utilities:**
{{CODE_BLOCK_5}}
## SMB: Samba (2)
{{CODE_BLOCK_6}}
**List all users:**
{{CODE_BLOCK_7}}
**Find SID of admin:**
{{CODE_BLOCK_8}}
## SMB: Samba (3)
{{CODE_BLOCK_9}}
## Samba Recon: Dictionary Attack
**Using Metasploit:**
{{CODE_BLOCK_10}}
**Using Hydra:**
{{CODE_BLOCK_11}}
**List available named pipes:**
{{CODE_BLOCK_12}}
## SMB Enumeration
{{CODE_BLOCK_13}}
{{CODE_BLOCK_14}}
**Using a Metasploit module to obtain the exact SMB version:**
{{CODE_BLOCK_15}}
{{CODE_BLOCK_16}}
{{CODE_BLOCK_17}}
## External Sources
- [Microsoft SMB Protocol Overview](https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview)
## Visual Diagram
{{CODE_BLOCK_18}}
## Related
- Exam Cram Guide
- Command Dashboard
Powered by Forestry.md