On Cyber War
TwitterGitHubLinkedIn
  • Welcome
  • Source Zero Con References
  • 1. Reconnaissance/ OSINT
    • Information gathering
    • OSINT tools
    • Search Engine OSINT
    • Sock puppets
  • 2. Scanning
    • Host discovery
    • Port Scanning with Nmap
    • Nmap Scripting Engine
  • 3. Enumeration
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 80/443 - HTTP(s)
    • 111 - NFS
    • 135 - RPC
    • 139/445 - NetBIOS/SMB
    • 161 (UDP) - SNMP
    • Wordpress
    • Finger (Solaris)
    • Active Directory
  • 4. Exploitation
    • Public exploits
    • Web application attacks
      • Command injection
      • Cross site scripting
      • Directory traversal
      • File inclusion
      • SQL injection
    • Password attacks
    • Buffer overflows
    • Active Directory
    • Metasploit
  • 5. Maintaining access
    • Upgrading simple shells
    • Reverse shells
    • MSFvenom
    • File transfers
    • Linux privilege escalation
    • Windows privilege escalation
    • Tunneling/Port Forwarding
  • 6. Miscellaneous
    • Connections
  • 7. Walkthroughs
    • HTB - Blunder
    • HTB - Haircut
    • THM -HackPark
Powered by GitBook
On this page
  • NetBIOS/Server Message Block
  • smbclient
  • enum4linux
  • showmount
  • mount
  • Download shares
  • smbclient.py
  • Eternal Blue
  1. 3. Enumeration

139/445 - NetBIOS/SMB

NetBIOS/Server Message Block

NetBIOS listens on TCP 139 and several UDP ports. SMB (TCP 445) and NetBIOS are separate protocols; however, modern implementations of SMB often utilize NetBIOS over TCP for backwards compatibility. SMB has a history of vulnerabilities but we are primarily interested in SMB for enumeration of shares to search for credentials, backups and other information that may help us gain a foothold.

We can search for NetBios/SMB hosts using nmap or nbtscan:

nmap -v -p 139,445 10.11.1.1-254 
sudo nbtscan -r 10.11.1.0/24 

NSE scripts

  • Viewable with ls -l /usr/share/nmap/scripts/smb*

nmap -p 139,445 --script=smb* 10.11.1.75
nmap --script=smb-enum* 10.11.1.227
nmap -p 139,445 --script=smb-enum-users 10.11.1.75
nmap -v -p 139,445 -oG smb.txt 10.11.1.1-245 –open
nmap --script smb-vuln-* 10.10.10.40
nmap -p 139,445 --script=smb-os-discovery 10.10.10.40

CrackMapExec

crackmapexec smb $ip_range -u '' -p '' (enumerate null shares)
crackmapexec smb $ip_range --pass-pol
crackmapexec smb $ip_range --users
crackmapexec smb $ip_range --groups
crackmapexec smb $ip_range -u user -p 'password' -d domain --shares
crackmapexec smb $ip_address -u user -p 'password' -d domain --shares --spider "C$" --pattern "pass"

smbclient

smbclient -L \\$ip\\ -U [[domain\\]username]
smbclient -L \\\\$ip\\
smbclient -L \\\\$ip\\$share

*connect to share*
smbclient \\\\$ip\\$share 
smbclient \\\\$ip\\$share -U domain\\username

enum4linux

enum4linux 10.11.1.127
enum4linux -a -v 10.11.1.227

showmount

showmount -a $targetip (all)
showmount -e $targetip (exports)

mount

mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

Download shares

get log.txt --allows you to download single files
smbget -R smb://ipaddress/sharename

smbclient.py

python3 /opt/impacket/examples/smbclient.py username@target-ip
python3 /opt/impacket/examples/smbclient.py 'username'@target-ip
python3 /opt/impacket/examples/smbclient.py ''@target-ip

Eternal Blue

  • Metasploit module available, search MS17-010 in MSFconsole

  • Link includes a python script to check for vulnerability eternal_checker.py

Previous135 - RPCNext161 (UDP) - SNMP

Last updated 1 year ago

Manual -

https://github.com/3ndG4me/AutoBlue-MS17-010