445 tcp - SMB
references:
SMBCLient
smbclient -L \\192.168.1.5
Enter WORKGROUP\root's password:
# Sharename Type Comment
# --------- ---- -------
# IPC$ IPC Remote IPC
# share Disk
# wwwroot Disk
# ADMIN$ Disk Remote Admin
# C$ Disk Default share
# Reconnecting with SMB1 for workgroup listing.
#Server Comment
# --------- -------
#Workgroup Master
# --------- -------NMBLookup
nmblookup -A 192.168.0.5
# Looking up status of [ip]
# [hostname] <00> - M <ACTIVE>
# [hostname] <20> - M <ACTIVE>
# WORKGROUP <00> - <GROUP> M <ACTIVE>
# WORKGROUP <1e> - <GROUP> M <ACTIVE>
# <03> - M <ACTIVE>
# INet~Services <1c> - <GROUP> M <ACTIVE>
# IS~[hostname] <00> - M <ACTIVE>
# MAC Address = 00-50-56-XX-XX-XXSMBClient
# use smb1
smbclient -L //10.10.10.10 --option='client min protocol=NT1' -U"administrator"
# no pass
smbclient -L //10.10.10.10 -NNmap Scan
nmap -v -p 139,445 -oG smb.txt 10.11.24.1-100
# smb enum script
nmap -p 139,445 --script smb-enum-users <ipaddress_here>
# Checks for OS of SMB
nmap -v -p 139,445 --script smb-os-discovery 10.11.24.85
#Checks for smb vulnerability
nmap -v -p 139,445 --script vuln <ipaddress_here>NBTScan
nbtscan -r 10.11.24.0/24
RPCClient
Null sessions, In windows NT2000/XP default config for SMB allows for nullsessions to be created. In windows 2003/XP SP2 onwards, this is disabled. Use RPCClient to explore nullsessions.
Rpcclient -U "" 129.168.1.200
#Server info such as OS version, server type
srvinfo
#Users information
enumdomusers
#Show password policy
getdompwinfo
#Domain info
querydomaininfo
#find net share
netshareenum
Enum4Linux
enum4linux -v 192.168.1.200
SMBMap
smbmap -H 192.168.1.5
[+] Finding open SMB ports....
[+] User SMB session establishd on [ip]...
[+] IP: [ip]:445 Name: [ip]
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
SYSVOL NO ACCESSLast updated
Was this helpful?