# 139/445 - NetBIOS/SMB ### NetBIOS/Server Message Block NetBIOS listens on TCP 139 and several UDP ports. SMB (TCP 445) and NetBIOS are separate protocols; however, modern implementations of SMB often utilize NetBIOS over TCP for backwards compatibility. SMB has a history of vulnerabilities but we are primarily interested in SMB for enumeration of shares to search for credentials, backups and other information that may help us gain a foothold. We can search for NetBios/SMB hosts using nmap or nbtscan: ``` nmap -v -p 139,445 10.11.1.1-254 sudo nbtscan -r 10.11.1.0/24 ``` #### NSE scripts * Viewable with `ls -l /usr/share/nmap/scripts/smb*` ``` nmap -p 139,445 --script=smb* 10.11.1.75 nmap --script=smb-enum* 10.11.1.227 nmap -p 139,445 --script=smb-enum-users 10.11.1.75 nmap -v -p 139,445 -oG smb.txt 10.11.1.1-245 –open nmap --script smb-vuln-* 10.10.10.40 nmap -p 139,445 --script=smb-os-discovery 10.10.10.40 ``` #### CrackMapExec ``` crackmapexec smb $ip_range -u '' -p '' (enumerate null shares) crackmapexec smb $ip_range --pass-pol crackmapexec smb $ip_range --users crackmapexec smb $ip_range --groups crackmapexec smb $ip_range -u user -p 'password' -d domain --shares crackmapexec smb $ip_address -u user -p 'password' -d domain --shares --spider "C$" --pattern "pass" ``` ### smbclient ``` smbclient -L \\$ip\\ -U [[domain\\]username] smbclient -L \\\\$ip\\ smbclient -L \\\\$ip\\$share *connect to share* smbclient \\\\$ip\\$share smbclient \\\\$ip\\$share -U domain\\username ``` ### enum4linux ``` enum4linux 10.11.1.127 enum4linux -a -v 10.11.1.227 ``` ### showmount ``` showmount -a $targetip (all) showmount -e $targetip (exports) ``` ### mount ``` mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share ``` ### Download shares ``` get log.txt --allows you to download single files smbget -R smb://ipaddress/sharename ``` ### smbclient.py ``` python3 /opt/impacket/examples/smbclient.py username@target-ip python3 /opt/impacket/examples/smbclient.py 'username'@target-ip python3 /opt/impacket/examples/smbclient.py ''@target-ip ``` ### Eternal Blue * Metasploit module available, search MS17-010 in MSFconsole * Manual - * Link includes a python script to check for vulnerability **eternal\_checker.py** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.oncyberwar.com/3.-enumeration/139-445-netbios-smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.