Links
🟠

SMB 445

Read the Full Hacking SMB Guide

Nmap NSE scripts

┌──(rfs㉿PopLabSec)-[~]
└─$ ls -la /usr/share/nmap/scripts | grep -e "smb"
​
smb2-capabilities.nse
smb2-security-mode.nse
smb2-time.nse
smb2-vuln-uptime.nse
smb-brute.nse
smb-double-pulsar-backdoor.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-services.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-ls.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-print-text.nse
smb-protocols.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smb-vuln-conficker.nse
smb-vuln-cve2009-3103.nse
smb-vuln-cve-2017-7494.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-ms17-010.nse
smb-vuln-regsvc-dos.nse
smb-vuln-webexec.nse
smb-webexec-exploit.nse

Metasploit SMB Enumeration Scripts

// Some code

Enumerate SMB Version

┌──(rfs㉿PopLabSec)-[~/TryHackMe/THM_NerdHerd]
└─$ nmap -p 445 --script smb-protocols nerdherd.thm
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-22 16:18 EDT
Nmap scan report for nerdherd.thm (10.10.180.123)
Host is up (0.16s latency).
​
PORT STATE SERVICE
445/tcp open microsoft-ds
​
Host script results:
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 2.0.2
| 2.1
| 3.0
| 3.0.2
|_ 3.1.1
​
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

Enumerate SMB Shares

nmap -p 445 --script smb-enum-shares nerdherd.thm
​
Host is up (0.087s latency).
​
PORT STATE SERVICE
445/tcp open microsoft-ds
​
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.180.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (nerdherd server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.180.123\nerdherd_classified:
| Type: STYPE_DISKTREE
| Comment: Samba on Ubuntu
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\chuck\nerdherd_classified
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.180.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
​
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

Enumerate SMB Users

nmap -p 445 --script smb-enum-users nerdherd.thm
​
​
PORT STATE SERVICE
445/tcp open microsoft-ds
​
Host script results:
| smb-enum-users:
| NERDHERD\chuck (RID: 1000)
| Full name: ChuckBartowski
| Description:
|_ Flags: Normal user account
​
Nmap done: 1 IP address (1 host up) scanned in 5.62 seconds
┌──(rfs㉿PopLabSec)-[~/TryHackMe/THM_NerdHerd]
└─$ smbclient -L //nerdherd.thm/ -U anonymous 1 ⨯
Enter WORKGROUP\anonymous's password:
​
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
nerdherd_classified Disk Samba on Ubuntu
IPC$ IPC IPC Service (nerdherd server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
​
Server Comment
--------- -------
​
Workgroup Master
--------- -------
WORKGROUP NERDHERD
​
msf6> use auxiliary/scanner/smb/smb_enumshares
msf6 > set SpiderShares true
SpiderShares => true
msf6 auxiliary(scanner/smb/smb_enumshares) > run
​
[*] 10.10.180.123:139 - Starting module
[*] 10.10.180.123:445 - Starting module
[!] 10.10.180.123:445 - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 10.10.180.123:445 - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 10.10.180.123:445 - print$ - (DISK) Printer Drivers
[+] 10.10.180.123:445 - nerdherd_classified - (DISK) Samba on Ubuntu
[+] 10.10.180.123:445 - IPC$ - (IPC|SPECIAL) IPC Service (nerdherd server (Samba, Ubuntu))
[*] 10.10.180.123:445 - Skipping IPC$
[*] nerdherd.thm: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Youtube Nmap - SMB Enumeration