Port 139 445 Connect to specific share
nxc smb -u '{username}' -p '{password}' --share {share} {IP}Useful nxc options for enumeration
--shares enumerate shares and access
--interfaces enumerate network interfaces
--no-write-check Skip write check on shares (avoid leaving traces when missing delete permissions)psexec
impacket psexec {user}@$ipscopeEnumerate shares without login
smbclient -N -L //{IP}rpcclient
Tool using Remote Procedure Call protocol. Can be used for SMB.
rpcclient -U "" $ipscope| Query | Description |
|---|---|
srvinfo | Server information. |
enumdomains | Enumerate all domains that are deployed in the network. |
querydominfo | Provides domain, server, and user information of deployed domains. |
netshareenumall | Enumerates all available shares. |
netsharegetinfo <share> | Provides information about a specific share. |
enumdomusers | Enumerates all domain users. |
queryuser <RID> | Provides information about a specific user. |
| Brute Force User RIDs |
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";doneImpacket Alternative :
impacket-samrdump $ipscopeSamba
supported version of SMB to Samba below :
| SMB Version | Supported | Features |
|---|---|---|
| CIFS | Windows NT 4.0 | Communication via NetBIOS interface |
| SMB 1.0 | Windows 2000 | Direct connection via TCP |
| SMB 2.0 | Windows Vista, Windows Server 2008 | Performance upgrades, improved message signing, caching feature |
| SMB 2.1 | Windows 7, Windows Server 2008 R2 | Locking mechanisms |
| SMB 3.0 | Windows 8, Windows Server 2012 | Multichannel connections, end-to-end encryption, remote storage access |
| SMB 3.0.2 | Windows 8.1, Windows Server 2012 R2 | |
| SMB 3.1.1 | Windows 10, Windows Server 2016 | Integrity checking, AES-128 encryption |
NetBIOS
Network Basic Input/Output System. API created by IBM. It is used to avoid reserving hostname for each machines by delegating this to NETBIOS.