FValkyrie_17's Infosec Notes
  • 1nf05EC N0TE5
  • Networking and Network Security
    • Security Models
    • Host Discovery
    • Port Scanning - Service and OS Discovery
    • Port Scanning - Common Firewall and IDS Evasion
    • Naming/Name Service and Directory Service
    • DNS
      • DNS Basics
      • DNS Pentest
    • NetBIOS
      • NetBIOS Basics
      • NetBIOS Pentest
    • BGP(Border Gateway Protocol) and AS Numbers (Autonomous System Numbers)
    • MS-RPC (Remote Procedure Call)
    • SMB (Server Message Block)
      • Basics of SMB
      • SMB Pentesting
    • LDAP (Lightweight Directory Access Protocol)
      • LDAP Working
      • LDAP Exploitation
    • RDP (Remote Desktop Protocol) and VNC (Virtual Network Computing)
    • Telnet (Teletype Network Protocol)
    • FTP (File Transfer Protocol)
    • NFS (Network File System)
    • SSH (Secure Socket Shell)
      • Port Forwarding Primer
    • SQL servers
      • MS-SQL (Microsoft SQL Service)
      • MySQL
    • Hydra Cheat Sheet
    • SMTP
    • SLP (Service Location Protocol)
    • SNMP
      • SNMP Basics
      • SNMP Pentest
    • NTP
    • File Transfer Primers
    • Regex 101
  • Make your dumb netcat shell interactive and awesome
  • Metasploit Primer
    • Important Terminologies
    • Working with Metasploit Database
  • Reverse Engineering 101
    • x86-64 assembly tutorial
      • Introduction to x86-64
  • Web Application Security
    • Security Policies
      • Same Origin Policy
      • Security Headers
        • CSP (Content Security Policy)
        • HSTS (Strict-Transport-Security Header)
        • X-Content-Type-Options
        • X-Frame-Options
        • Referrer-Policy
    • Authentication Bypass
  • Linux Privilege Escalation
    • Permissions in Linux
    • Enumeration
    • Using files with SUID/SGID permission set
    • Using Kernel Exploits
    • Using Service Exploits
    • Exploiting Weak File Permissions
    • Exploiting Sudo
    • Cron Jobs
  • windows privilege escalation
    • Windows Basics
    • PsTools Primer
    • Persistence Techniques
  • Android application security testing
    • Setting it Up
      • Installing Android SDK and emulator
      • Setting up Frida-Server on Android Device
  • HTB writeups
    • Archetype (HTB Starting Point 2x1)
    • Oopsie (HTB Starting Point 2x2)
    • Lame
    • Jerry
  • THM writeups
    • Vulnuniversity
  • Preparation Notes
    • CEH Practical Prep Notes
Powered by GitBook
On this page
  • Enumeration
  • Using nmap
  • Using enum4linux
  • Using smbclient
  • Using metasploit
  • Exploitation
  • Using smbclient
  • Anonymous login with empty passwords
  • Navigating through SMB

Was this helpful?

  1. Networking and Network Security
  2. SMB (Server Message Block)

SMB Pentesting

Find and exploit SMB vulnerabilities

Enumeration

Using nmap

sudo nmap -sC -sV 10.10.170.245

Using enum4linux

enum4linux -a 10.10.170.245

Using smbclient

List all available shares

smbclient -N -L \\\\10.129.95.187\\

Using metasploit

use auxiliary/scanner/smb/smb_version

Exploitation

The smbclient utility and impacket library are two good utilities to exploit SMB vulnerability.

Using smbclient

Let's say we want to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port

smbclient //10.10.10.2/secret -U "suit" -p 445

Anonymous login with empty passwords

In general shares

smbclient //10.10.96.221/profiles -U ''
smbclient //10.10.96.221/profiles -U 'Anonymous'

Navigating through SMB

List all available files

smb: \> ls
smb: \> dir

Get multiple or single files (mget command)

smb: \.ssh\> mget id_rsa*
PreviousBasics of SMBNextLDAP (Lightweight Directory Access Protocol)

Last updated 10 months ago

Was this helpful?