smb :135 :139 :445

version check

• msf:use auxiliary/scanner/smb/smb_version

brute force

• msf:use auxiliary/scanner/ssh/ssh_login

vuln-check

The following are checks for old smb exploits, which I've seen a lot of times when doing old HTB boxes. Hence, have documented these for whenever I come across old smb version.

$ nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery IP

# test for known smb vulns 
# cve2009-3103: ms09-050
nmap --script=smb-vuln-cve2009-3103.nse -p 139,445 IP
nmap --script=smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse -p 139,445 IP

# exploit down
nmap -Pn --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p139,445 IP

# using NMAP lto enumerate shares:
nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse IP

smbclient | smbmap

smbmap -H IP [-P PORT] [-d DOMAIN] [-u USER] [-p PASS] [-s TARGET_SHARE]

smbclient //IP/TARGET_SHARE/PATH -U USER%PASS -p PORT
# -L LIST_SHARES
# -c COMMAND_TO_EXECUTE;
# -N NO_PASSWORD

# copy entire share to local-disk
smbclient '\\IP\TARGET_SHARE' -N -c 'prompt OFF;recurse ON;mget *'
smbget -R smb://IP/TARGET_SHARE --guest

# to read file within smb
more FILENAME

# to copy outside of share
get SHARE_FILE FILENAME

enum4linux

enum4linux -a IP
# -U: get user-list
# -M: get machine-list
# -N: get name-list dump
# -S: get share-list
# -P: get password-policy info
# -G: get group & member list
# -a: get all.

enum4linux-ng.py -A IP [-U USER] [-p PASS]
# -C: enum services
# -R: enum users via RID cycling
# -S: enum shares

Shares (nfs, cifs)

Viewing

showmount -e IP
# -a: List both the client IP and mounted directory in  host:dir  format.
# -d: List only the directories mounted by some client.

Mounting:

NOTE:

• nfs is for UNIX/Linux. cifs is for Windows.

• Mounting NFS through SSH Tunnel

sudo mkdir /mnt/LOCAL_DIR
sudo mount [-t service_name] //IP/TARGET_SHARE/PATH /mnt/LOCAL_DIR [-o rw]
sudo mount [-t service_name] IP:/TARGET_SHARE/PATH /mnt/LOCAL_DIR [-o rw]
sudo mount [-t service_name] -o port=PORT,mountport=PORT,tcp IP:/TARGET_SHARE /mnt/LOCAL_DIR -v

VHD

NOTE:

• Permission issues fix: run sudo su and have interactive root shell.

• Mounting .vhd through remote share

sudo guestmount --add FILE.vhd --inspector --ro /mnt/LOCAL_DIR [-v]

unmount

sudo umount [-f|-l] /mnt/LOCAL_DIR
# -f = force unmount
# -l = lazy unmount