Scanning SMB Services with NMAP
Metasploit Nmap Wrapper
Using a nmap wrapper
inside metasploit
will automatically save the results in a database, and make future searches much easier.
- Open
msfconsole
:
msf> db_nmap -vvv -sV -A <TARGET_IP>
msf> db_nmap -vvv -sS -A -T5 --script all <TARGET_IP> -e tap0 --script-args 'mtrace.fromip=<ATTACKER_IP>'
msf> db_nmap -PN -n --script smb-check-vulns.nse --script-args=unsafe1 -p445 <TARGET_IP>
If we already have nmap
scan results, we can import them in metasploit
:
- Ensure that
msfconsole
is connected to PostgreSQL:
msf> db_status
- From within
msfconsole
import your scan data:
msf> db_import 192.168_scan.xml
- Use
hosts -u
to get a list of only hosts that respond toping
and are believed to be up:
msf> hosts -u
- The
-p
flag only lists specific ports you’re interested in:
msf> services -p 445 -u
- To set the
RHOSTS
in themetasploit
modules:
msf> services -p 445 -R
Scan a host range for SMB open ports
SMB has two ports: 139
and 445
:
Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.
nmap -v -p 139,445 -oG smb.txt <TARGET_IP>
Enumerate shares
Using nmap we can enumerate a machine for SMB shares. Nmap can automate a wide variety of networking tasks using scripts.
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <TARGET_IP>
Scan for SMB Vulns
nmap -sU -sS --script smb-vuln* --script-args unsafe=1 <TARGET_IP>
nmap -sU -sS -p T:139,445,U:137 --script smb-vuln* --script-args unsafe=1 <TARGET_IP>
Run nmap
NSE script to better identify de OS fingerprint
nmap --script smb-os-discovery.nse <TARGET_IP>
Enumerate users from SMB
python /usr/share/doc/python-impacket/examples/samrdump.py <TARGET_IP>
ridenum <TARGET_IP> 500 50000 /usr/share/wordlists/rockyou.txt
RPCBind
Sometimes, when we run a nmap port scan we'll see the port 111
running the service rpcbind
. This is just a server that converts Remote Procedure Call (RPC)
program numbers into universal addresses. When a RPC
service is started, it tells rpcbind
the address at which it is listening and the RPC
program number is prepared to serve.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <TARGET_IP>
More Tools
nmblookup -A <TARGET_IP>
smbclient //MOUNT/share -I <TARGET_IP> -N
rpcclient -U "" <TARGET_IP>
enum4linux <TARGET_IP>