For Linux target, try get version number using Wireshark raw traffic in field: smb.native_lanman
For Window target, port 139 and port 445 run:
nmap -p445 — script smb-protocols <target ip>
nmap -p139 — script smb-protocols <target ip>
OR
nmap -sC -p 139,445 -sV 10.0.2.30
OTHER
nmap --script "safe or smb-enum-*" -p 445 <IP>
Other Tools:
- enum4linux:
enum4linux -a [-u "<username>" -p "<passwd>"] <IP> - smbmap:
smbmap -H [IP] -R
Dump Information:
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
We can retreieve files using smbmap or smbclient using: smbclient -N -L \\\\[IP]
We can get smbshell using: smbclient \\\\[IP]\\tmp
rpcclient -U "" -N <IP>
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
- List users:
querydispinfoandenumdomusers - Get user details:
queryuser <0xrid> - Get user groups:
queryusergroups <0xrid> - Get SID of user:
lookupnames <username> - Get user aliases:
queryuseraliases [builtin|domain] <sid>
- List groups:
enumdomgroups - Get details:
querygroup <0xrid> - Get members:
querygroupmem <0xrid>
- List alias:
enumalsgroups <builtin|domain> - Get member:
queryaliasmem builtin|domain <0xrid>
- List domains:
enumdomains - Get SID:
lsaquery - Domain Info:
querydominfo
- Find SID by name:
lookupnames <username> - Find more SIDs:
lsaenumsid - RID cycling (find more SIDs):
lookupsids <sid>