3.2.2 - SMB Enum & Common Attacks

SMB Enumeration

Netexec

  1. Enumerate Domain Machines for SMB Signing

    nxc smb 192.168.1.0/24
  2. Validate Credentials

    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123'
  3. Find Valid Machines for Connection

    nxc smb 192.168.1.0/24 -u 'jdoe' -p 'Password123'
  4. Enumerate Shared Resources

    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --shares
  5. Enumerate Users and Groups

    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --users
    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --groups
  6. Dump LSA and NTDS If you have domain admin privileges:

    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --lsa
    nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --ntds

SMBMap

We can enumerate SMB shares and access to system using these command:

Copy

smbmap -H corp-dc #List share with anonymous access
smbmap -H corp-dc -u "devan" -p "P@ssword123!" #List Devan's shares
smbmap -H corp-dc -u "devan" --prompt ##List Devan's shares without writing password in cleartext

List a specific Share

smbmap -H corp-dc -u "devan" --prompt -r "SharedFiles"

Check OS Version and signing status

smbmap -H corp-dc -u "devan" --prompt -v            #OS version check
smbmap -H corp-dc -u "devan" --prompt --signing     #Signing check

If the signing of message is disabled we can use it for Relay attacks and potentially of exploit eternalblue vuln.


SMB Client

Similar to SMBMap, we can use it to enumerate shares and interact with file system prompt

smbclient -L //corp-dc -N     #Anonymous Login (-N no credentials)
smbclient //corp-dc -U "dev-angelist.lab/devan%P@ssword123!"     #List Devan's shares
smbclient //corp-dc/SharedFiles -U devan
smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!" #we can get file shared using get command
#File system prompt includes command such as: cd, dir, ls, get, put

Useful for enumerate shares, discovering sensitive files, ACLs for shares, networks, computers, etc, and generates a nice HTML report.

Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools -HostList C:\AD\Tools\servers.txt

  • SMB Tools & Guest or Anonymous access to Shares

  • RCE Via access to Administrative Shares

  • SMB Brute Forcing

  • SMB Password Spraying

  • SMBv1 EternalBlue (CVE-2017-0144)

  • Net-NTLM Capture Attack

  • Pass the Hash Attack (PTH)

  • Net-NTLM Relay Attack

SMB Common Attacks Lab

Last updated