# smb :135 :139 :445 ## version check * msf:`use auxiliary/scanner/smb/smb_version` ## brute force * msf:`use auxiliary/scanner/ssh/ssh_login` ## vuln-check The following are checks for old smb exploits, which I've seen a lot of times when doing old HTB boxes. Hence, have documented these for whenever I come across old smb version. ```bash $ nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery IP # test for known smb vulns # cve2009-3103: ms09-050 nmap --script=smb-vuln-cve2009-3103.nse -p 139,445 IP nmap --script=smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse -p 139,445 IP # exploit down nmap -Pn --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p139,445 IP # using NMAP lto enumerate shares: nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse IP ``` ## smbclient | smbmap ```bash smbmap -H IP [-P PORT] [-d DOMAIN] [-u USER] [-p PASS] [-s TARGET_SHARE] smbclient //IP/TARGET_SHARE/PATH -U USER%PASS -p PORT # -L LIST_SHARES # -c COMMAND_TO_EXECUTE; # -N NO_PASSWORD # copy entire share to local-disk smbclient '\\IP\TARGET_SHARE' -N -c 'prompt OFF;recurse ON;mget *' smbget -R smb://IP/TARGET_SHARE --guest # to read file within smb more FILENAME # to copy outside of share get SHARE_FILE FILENAME ``` ## enum4linux ```bash enum4linux -a IP # -U: get user-list # -M: get machine-list # -N: get name-list dump # -S: get share-list # -P: get password-policy info # -G: get group & member list # -a: get all. enum4linux-ng.py -A IP [-U USER] [-p PASS] # -C: enum services # -R: enum users via RID cycling # -S: enum shares ``` ## Shares (nfs, cifs) ### Viewing ```bash showmount -e IP # -a: List both the client IP and mounted directory in host:dir format. # -d: List only the directories mounted by some client. ``` ### Mounting: **NOTE:** * `nfs` is for UNIX/Linux. `cifs` is for Windows. * [Mounting NFS through SSH Tunnel](http://biowiki.org/wiki/index.php/Mounting_NFSThrough_SSHTunnel) ```bash sudo mkdir /mnt/LOCAL_DIR sudo mount [-t service_name] //IP/TARGET_SHARE/PATH /mnt/LOCAL_DIR [-o rw] sudo mount [-t service_name] IP:/TARGET_SHARE/PATH /mnt/LOCAL_DIR [-o rw] sudo mount [-t service_name] -o port=PORT,mountport=PORT,tcp IP:/TARGET_SHARE /mnt/LOCAL_DIR -v ``` ### VHD **NOTE:** * Permission issues fix: run `sudo su` and have interactive root shell. * [Mounting .vhd through remote share](https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25) ```bash sudo guestmount --add FILE.vhd --inspector --ro /mnt/LOCAL_DIR [-v] ``` ### unmount ```bash sudo umount [-f|-l] /mnt/LOCAL_DIR # -f = force unmount # -l = lazy unmount ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/kashz-jewels/protocols/smb-135-139-445.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.