Scanning SMB Services with NMAP

Metasploit Nmap Wrapper

Using a nmap wrapper inside metasploit will automatically save the results in a database, and make future searches much easier.

  • Open msfconsole:
msf> db_nmap -vvv -sV -A <TARGET_IP>

msf> db_nmap -vvv -sS -A -T5 --script all <TARGET_IP> -e tap0 --script-args 'mtrace.fromip=<ATTACKER_IP>'

msf> db_nmap -PN -n --script smb-check-vulns.nse --script-args=unsafe1 -p445 <TARGET_IP>

If we already have nmap scan results, we can import them in metasploit:

  • Ensure that msfconsole is connected to PostgreSQL:
msf> db_status
  • From within msfconsole import your scan data:
msf> db_import 192.168_scan.xml
  • Use hosts -u to get a list of only hosts that respond to ping and are believed to be up:
msf> hosts -u
  • The -p flag only lists specific ports you’re interested in:
msf> services -p 445 -u
  • To set the RHOSTS in the metasploit modules:
msf> services -p 445 -R

Scan a host range for SMB open ports

SMB has two ports: 139and 445:

  • Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.

  • Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

nmap -v -p 139,445 -oG smb.txt <TARGET_IP>

Enumerate shares

Using nmap we can enumerate a machine for SMB shares. Nmap can automate a wide variety of networking tasks using scripts.

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <TARGET_IP>

Scan for SMB Vulns

nmap -sU -sS --script smb-vuln* --script-args unsafe=1 <TARGET_IP>
nmap -sU -sS -p T:139,445,U:137 --script smb-vuln* --script-args unsafe=1 <TARGET_IP>

Run nmap NSE script to better identify de OS fingerprint

nmap --script smb-os-discovery.nse <TARGET_IP>

Enumerate users from SMB

python /usr/share/doc/python-impacket/examples/samrdump.py <TARGET_IP>

ridenum <TARGET_IP> 500 50000 /usr/share/wordlists/rockyou.txt

RPCBind

Sometimes, when we run a nmap port scan we'll see the port 111 running the service rpcbind. This is just a server that converts Remote Procedure Call (RPC) program numbers into universal addresses. When a RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number is prepared to serve.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <TARGET_IP>

More Tools

nmblookup -A <TARGET_IP>

smbclient //MOUNT/share -I <TARGET_IP> -N

rpcclient -U "" <TARGET_IP>

enum4linux <TARGET_IP>