Right and access controled by the ACL
Samba -> SMB for Linux. Allows Linux systems to communicate with newer Windows systems over SMB. Works over CIFS (dialect of SMB)
Enumeration
smbclient
Listing shares with no authentication
Copy smbclient -U '' -L \\\\192.168.184.117\\
#Sometimes it worth trying for 'guest' and 'anonymous' access
smbclient -U 'guest' -L \\\\192.168.184.117\\
Putting file in a share
Copy root@kali# smbclient -U 'bob%password123' //10.10.10.97/new-site -c 'put /opt/shells/netcat/nc.exe nc.exe'
Execute system command using the !
Copy smb: \> !cat prep-prod.txt
Troubleshot
Error: Server does not support Extended Security but 'client use spnego = yes' [...]
Copy smbclient //10.11.1.115/IPC$ --option='client min protocol=NT1' -N
smbmap
Listing shares with no authentication
Copy smbmap -H 192.168.184.117
Listing share with authentication, to test guest access put any username and ignore -p field
Copy smbmap -H 10.10.10.239 -u <username> -p <password>
Download a file with SMBMap
Copy smbmap -u BR086 -p Welcome1 -H 172.16.7.3 --download 'Department Shares\IT\Private\Development\web.config'
enum4linux-ng
The successor of the well known tool enum4linux.
Copy ./enum4linux-ng.py 10.129.14.128 -A
Nmap
Scanning for common vulnerability for the SMB protocol
Copy sudo nmap --script smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse,smb-vuln-webexec.nse -p 139,445 192.168.218.45
Enumerate shares with nmap script
Copy sudo nmap --script smb-enum-shares.nse -p445 10.11.1.31
Crackmapexec
Check what SMB shares we have access to
Copy crackmapexec smb 10.10.10.161 -u svc-alfresco -p s3rvice --shares
# We can try anonymously
crackmapexec smb 10.10.10.161 -u '' -p '' --shares
Others commands
Downloading SMB share files recursively
Copy smbget -R smb://10.11.1.31/wwwroot/_vti_pingit
From within an SMB session
Copy smb > recurse on
smb > prompt off
smb > mget *
smbver.sh
Note: Need to be run as sudo.
Copy #!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 8 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple lines. May need to run a second time for success.
if [ -z $1 ];
then echo "Usage: ./smbver.sh RHOST {RPORT} [interface]" && exit;
else rhost=$1;
fi
if [ ! -z $2 ];
then rport=$2;
else rport=139;
fi
if [ ! -z $3 ];
then interface=$3;
else interface=tun0;
fi
tcpdump -s0 -n -i $interface src $rhost and port $rport -A -c 10 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
Other elements to check for
Can you login with default or lazy admin credentials?
Have you tried to login and/or enumerate shares with credentials found elsewhere?
Is there any exploit or vulnerability associated with the SMB server?
Can you transfer files on the SMB share ? (upload/download)