HomeGitHubPortfolioTwitter/XMediumCont@ct

3.2.2 - SMB Enum & Common Attacks

SMB Enumeration

Netexec

  1. Enumerate Domain Machines for SMB Signing

    nxc smb 192.168.1.0/24

  2. Validate Credentials

    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123'

  3. Find Valid Machines for Connection

    nxc smb 192.168.1.0/24 -u 'jdoe' -p 'Password123'

  4. Enumerate Shared Resources

    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --shares

  5. Enumerate Users and Groups

    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --users
nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --groups

  6. Dump LSA and NTDS If you have domain admin privileges:

    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --lsa
nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --ntds

SMBMap

We can enumerate SMB shares and access to system using these command:

Copy

List a specific Share

Check OS Version and signing status

If the signing of message is disabled we can use it for Relay attacks and potentially of exploit eternalblue vuln.

SMB Client

Similar to SMBMap, we can use it to enumerate shares and interact with file system prompt

PowerHuntShares

Useful for enumerate shares, discovering sensitive files, ACLs for shares, networks, computers, etc, and generates a nice HTML report.

SMB Common Attacks

  • SMB Tools & Guest or Anonymous access to Shares

  • RCE Via access to Administrative Shares

  • SMB Brute Forcing

  • SMB Password Spraying

  • SMBv1 EternalBlue (CVE-2017-0144)

  • Net-NTLM Capture Attack

  • Pass the Hash Attack (PTH)

  • Net-NTLM Relay Attack

SMB Common Attacks Lab

Previous3.2.1 - LDAP & DNS EnumNext3.3 - Domain Enumeration

Last updated