2 :139 :445 smb

$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse $ip -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-23 11:33 PDT
Nmap scan report for 192.168.175.64
Host is up (0.072s latency).

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\192.168.175.64\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba 4.9.5-Debian)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.168.175.64\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|     Current user access: <none>
|   \\192.168.175.64\zino:
|     Type: STYPE_DISKTREE
|     Comment: Logs
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\peter
|     Anonymous access: READ
|_    Current user access: READ

$ smbmap -H $ip
[+] IP: 192.168.175.64:445      Name: 192.168.175.64
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        zino                                                    READ ONLY       Logs
        print$                                                  NO ACCESS       Printer Drivers
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.9.5-Debian)

$ smbclient //192.168.175.64/zino
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jul  9 12:11:49 2020
  ..                                  D        0  Tue Apr 28 06:38:53 2020
  .bash_history                       H        0  Tue Apr 28 08:35:28 2020
  error.log                           N      265  Tue Apr 28 07:07:32 2020
  .bash_logout                        H      220  Tue Apr 28 06:38:53 2020
  local.txt                           N       33  Mon Aug 23 11:26:47 2021
  .bashrc                             H     3526  Tue Apr 28 06:38:53 2020
  .gnupg                             DH        0  Tue Apr 28 07:17:02 2020
  .profile                            H      807  Tue Apr 28 06:38:53 2020
  misc.log                            N      424  Tue Apr 28 07:08:15 2020
  auth.log                            N      368  Tue Apr 28 07:07:54 2020
  access.log                          N     5464  Tue Apr 28 07:07:09 2020
  ftp                                 D        0  Tue Apr 28 07:12:56 
  
# definitely some /home/user directory
# we got local.txt

$ cat auth.log
Apr 28 08:16:54 zino groupadd[1044]: new group: name=peter, GID=1001
Apr 28 08:16:54 zino useradd[1048]: new user: name=peter, UID=1001, GID=1001, home=/home/peter, shell=/bin/bash
Apr 28 08:17:01 zino passwd[1056]: pam_unix(passwd:chauthtok): password changed for peter
Apr 28 08:17:01 zino CRON[1058]: pam_unix(cron:session): session opened for user root by (uid=0)

$ cat error.log
[Tue Apr 28 08:04:48.610828 2020] [mpm_prefork:notice] [pid 498] AH00163: Apache/2.4.38 (Debian) mod_wsgi/4.6.5 Python/2.7 configured -- resuming normal operations
[Tue Apr 28 08:04:48.610841 2020] [core:notice] [pid 498] AH00094: Command line: '/usr/sbin/apache2'

$ cat misc.log
Apr 28 08:39:01 zino systemd[1]: Starting Clean php session files...
Apr 28 08:39:01 zino CRON[2791]: (CRON) info (No MTA installed, discarding output)
Apr 28 08:39:01 zino systemd[1]: phpsessionclean.service: Succeeded.
Apr 28 08:39:01 zino systemd[1]: Started Clean php session files.
Apr 28 08:39:01 zino systemd[1]: Set application username "admin"
Apr 28 08:39:01 zino systemd[1]: Set application password "adminadmin"

$ cat access.log
# contains requests for differet URIs
GET /booked/
GET /booked/Web/
GET /booked/Web/dashboard.php

Previous3 :8003 Next1 recon

Last updated 3 years ago

$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse $ip -Pn Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-23 11:33 PDT Nmap scan report for 192.168.175.64 Host is up (0.072s latency). Host script results: | smb-enum-shares: | account_used: guest | \\192.168.175.64\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (Samba 4.9.5-Debian) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.175.64\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> | Current user access: <none> | \\192.168.175.64\zino: | Type: STYPE_DISKTREE | Comment: Logs | Users: 0 | Max Users: <unlimited> | Path: C:\home\peter | Anonymous access: READ |_ Current user access: READ $ smbmap -H $ip [+] IP: 192.168.175.64:445 Name: 192.168.175.64 Disk Permissions Comment ---- ----------- ------- zino READ ONLY Logs print$ NO ACCESS Printer Drivers IPC$ NO ACCESS IPC Service (Samba 4.9.5-Debian) $ smbclient //192.168.175.64/zino Enter WORKGROUP\kashz's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Jul 9 12:11:49 2020 .. D 0 Tue Apr 28 06:38:53 2020 .bash_history H 0 Tue Apr 28 08:35:28 2020 error.log N 265 Tue Apr 28 07:07:32 2020 .bash_logout H 220 Tue Apr 28 06:38:53 2020 local.txt N 33 Mon Aug 23 11:26:47 2021 .bashrc H 3526 Tue Apr 28 06:38:53 2020 .gnupg DH 0 Tue Apr 28 07:17:02 2020 .profile H 807 Tue Apr 28 06:38:53 2020 misc.log N 424 Tue Apr 28 07:08:15 2020 auth.log N 368 Tue Apr 28 07:07:54 2020 access.log N 5464 Tue Apr 28 07:07:09 2020 ftp D 0 Tue Apr 28 07:12:56 # definitely some /home/user directory # we got local.txt $ cat auth.log Apr 28 08:16:54 zino groupadd[1044]: new group: name=peter, GID=1001 Apr 28 08:16:54 zino useradd[1048]: new user: name=peter, UID=1001, GID=1001, home=/home/peter, shell=/bin/bash Apr 28 08:17:01 zino passwd[1056]: pam_unix(passwd:chauthtok): password changed for peter Apr 28 08:17:01 zino CRON[1058]: pam_unix(cron:session): session opened for user root by (uid=0) $ cat error.log [Tue Apr 28 08:04:48.610828 2020] [mpm_prefork:notice] [pid 498] AH00163: Apache/2.4.38 (Debian) mod_wsgi/4.6.5 Python/2.7 configured -- resuming normal operations [Tue Apr 28 08:04:48.610841 2020] [core:notice] [pid 498] AH00094: Command line: '/usr/sbin/apache2' $ cat misc.log Apr 28 08:39:01 zino systemd[1]: Starting Clean php session files... Apr 28 08:39:01 zino CRON[2791]: (CRON) info (No MTA installed, discarding output) Apr 28 08:39:01 zino systemd[1]: phpsessionclean.service: Succeeded. Apr 28 08:39:01 zino systemd[1]: Started Clean php session files. Apr 28 08:39:01 zino systemd[1]: Set application username "admin" Apr 28 08:39:01 zino systemd[1]: Set application password "adminadmin" $ cat access.log # contains requests for differet URIs GET /booked/ GET /booked/Web/ GET /booked/Web/dashboard.php