SMB

Server message block

default config

cat /etc/samba/smb.conf | grep -v "#\|\;"

dangerous settings
- browseable = yes
- read only = no
- writable = yes
- guest ok = yes
- enable privileges = yes
- create mask = 0777
- directory mask = 0777
- logon script = script.sh
- magic script = script.sh
- magic output = script.out
restart service
- sudo systemctl restart smbd

connect

lists shares on server
```
smbclient -N -L //10.129.14.128
```
connect to notes share
```
smbclient //10.129.14.128/notes
```

To connect to smb with a user specify '-U user'

get status
- smbstatus
nmap
- nmap 10.129.14.128 -sV -sC -p139,445
rpclient
- rpcclient -U "" 10.129.14.128
- can offer us different requests
  - srvinfo - server info
  - enumdomains - enumerate all domains
  - querydominfo - provides domains, server and user info
  - netshareenumall - enumerates all shares
  - netsharegetinfo <share> - enumerates specific share
  - enumdomusers - enumerates all domain users
  - queryuser <rid> - enumerates specific user

Brute force user RIDs

for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

alternative to this is to use samrdump.py from impacket.
```
samrdump.py 10.129.14.128
```

smbmap
- smbmap -H 10.129.14.128

crackmapexec

crackmapexec smb 10.129.14.128 --shares -u '' -p ''

enum4linux
- enum4linux-ng.py 10.129.14.128 -A

PreviousFTP NextNFS

Last updated 7 months ago