Scan for popular RCE exploits.
sudo nmap -p 139,445 --script smb-vuln* <ip-addr> -oA nmap/smb-vuln
Identify the SMB/OS version.
nmap -v -p 139,445 --script=smb-os-discovery.nse <ip-addr>
To list out the shares and associated permissions:
smbmap -H <ip-addr>
To list out the shares recursively:
smbmap -R <sharename> -H <ip-addr>
To list shares as an authenticated user:
smbmap -d <domain> -u <username> -p <password> -H <ip-addr>
To download a particular file.
smbmap -R <sharename> -H <ip-addr> -A <filename> -q
To list out the shares:
smbclient -L \\\\<ip-addr>
To connect to shares:
sudo smbclient \\\\<ip-addr>\\<share>
Once connected, you can download files. You’ll want to disable interactive prompts and turn recursive mode ON.
smb: /> prompt
smb: /> recurse
smb: /> mget *
Testing for Null Sessions:
To test for null sessions, you can use the following command. If it connects, then you’ll be able to issue rpc client commands for further enumeration.
rpcclient -U "" -N [ip]
-U "" = Null Session
-N = No Password
The following command will attempt to establish a null session with the target and then use RPC to extract useful information.
enum4linux -a [ip]
Example output is long, but some highlights to look for:
- Listing of file shares and printers.
- Domain/Workgroup information.
- Password policy information.
- RID cycling output to enumerate users and groups.
Mounting SMB Shares
The following command will mount the remote file-share to /mnt/smb/ (this directory must exist first) and prompt you for the password.
mount -t cifs -o username=<user> //<targetIP>/<shareName> /mnt/smb/
Gaining a Shell
Once you have valid credentials on the machine, or a valid NTLM hash, you can leverage the following guide to gain a shell.
Enumerating SMB Version
If your tools aren’t working to enumerate the version, you can establish a connection via smbclient and then extract the Samba/SMB version through a packetcapture. To automate the process, you can use the script available at https://github.com/rewardone/OSCPRepo/blob/master/scripts/recon_enum/smbver.sh
Troubleshooting Common Errors:
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
This error occurs because your modern tools are not able to communicate to older, insecure protocols. You just need to tell your smbd daemon to use the weaker and more insecure protocols.
Note: If you are using smbd in real life for file and printer sharing, I don’t recommend leaving you system like this.
Open the following files in your favorite text editor.
Find the Global section, and add the following line.
client min protocol = LANMAN1
With that line added, restart your smdb service and you should now be able to connect.
service smbd restart