Enumerating SMB Services
The SMB (NetBIOS32) service
Listens to TCP ports
139
and445
and several UDP ports.SMB1 - Windows 2000, XP, and Windows 2003.
SMB2 - Windows Vista SP1 and Windows 2008
SMB2.1 - Windows 7 and Windows 2008 R2
SMB3 - Windows 8 and Windows 2012.
Map share using the net use
command
net use s: \\TARGET_IP\movies
net use s: \\TARGET_IP\movies /user HTG Pa$$word
net use \\TARGET_IP\ipc$ "" /user:"" (Anonymous)
net use s: TARGET_IP\share password /user:domain\janedoe /savecred /p:no
Example: net use s: "\10.11.1.136\Bob Share" bobiscrazy /user:bob
SMB Null Session
SMB Null Session Enumeration
rpcclient -U "" TARGET_IP (Enter empty password)
Some useful commands for
rpcclient
:rvinfo (Identify de OS Version)
netshareenumall
lsaquery
enumprivs
enumdomusers (List of user on the server)
querydominfo (Get the policy for password storage)
Using nbtscan
- Using
nbtscan
to scan a host range forSMB
and credentials
nbtscan -r TARGET_IP/24
nbtscan TARGET_IP
- Discover Windows/Samba servers on subnet, finds Windows MAC addresses, netbios name, and discover client workgroup/domain:
nbtscan 192.168.1.0/24
- Displays the
nbtscan
version:
nbtscan -v
- This shows the full
NBT
resource record responses for each machine scanned, not a one-line summary, use these options when scanning a single host:
nbtscan -f target(s)
- Sends output to a file:
nbtscan -O file-name.txt target(s)
- Generate an HTTP header:
nbtscan -H
- Generate Perl hashref output, which can be loaded into an existing program for easier processing, much easier than parsing text output:
nbtscan -P
- Enable verbose mode:
nbtscan -V
- Turns off this inverse name lookup, for hanging resolution:
nbtscan -n
- This allows the specification of a UDP port number to be used as the source in sending a query:
nbtscan -p PORT target(s)
- Include the MAC (aka
Ethernet
) addresses in the response, which is already implied by the-f
option:
nbtscan -m
- Discovers IP, MAC Address, and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site:
netdiscover -r 192.168.1.0/24
- Another SMB enumerator:
enum4linux -a TARGET_IP