try hack me
  • what is this repo?
  • Pre Security
    • Introduction to Cyber Security
    • Linux Fundamentals
  • pre security Tools
    • gobuster
    • ping (ICMP)
    • nslookup
    • basic Linux commands
    • basic Linux operators
    • some Linux web command
    • processes
    • cron tabs (schedule)
    • Important Directories
    • basic CMD command
    • ssh
    • ftp
    • simple digital forensics commands
  • Complete Begginer
    • CVE tracking websites
    • traceroute
    • whois
    • dig
    • nmap
    • smb
    • Telnet
      • tcpdump listener & reverse shell
    • ftp
    • hydra
    • NFS
    • smtp
    • mysql
    • 🅱️Burp Suite
      • Proxy
      • target
      • intruder
      • simple XSS attack
    • OWASP top 10 : 2021
      • 1. Broken Access Control
      • 2. Cryptographic Failures
      • 3. Injection
      • 4. Insecure Design
      • 5. Security Misconfiguration
      • 6. Vulnerable and Outdated Components
      • 7. Identification and Authentication Failures
      • 8. Software and Data Integrity Failures
        • Software Integrity Failures
        • Data Integrity Failures
      • 9. Security Logging and Monitoring Failures
      • 10. Server-Side Request Forgery (SSRF)
    • file type recognition
      • How to change magic numbers
    • upload vulnerability exploiting
    • about hash
    • john the ripper
      • /etc/shadow
      • Single Crack Mode
      • Custom Rules
      • rar and zip
      • SSH Key Passwords
      • GPG/PGP
    • Encryption
      • SSH authentication
      • SSH configuration (sort of)
      • GnuPG (very basic)
    • metasploit
      • mian components
      • Scanner
      • The Metasploit Database
      • Vulnerability Scanning
      • exploiting
      • Msfvenom
      • Meterpreter>
        • Commands
        • Post-Exploitation
    • Shell
      • netcat
      • socat
      • common shell payloads
      • Next steps
    • privilege esclation
      • Exploiting Writeable /etc/passwd
      • Vi, sudo -l, GTFOBin
      • Cron tab exploitation
      • Exploiting PATH Variable
      • some checklists
      • windows
        • miscellaneous
      • Examples
        • mysql running as root
        • Weak File Permissions
        • Sudo
        • Cron Jobs
        • SUID / SGID Executables
        • Passwords & Keys
        • NFS
        • Kernel Exploits
    • file transfer between two machines
  • SQL injection
  • Google Dorking
  • Web hacking intro
    • Walking an application
    • Content Discovery(ffuf, dirb, gobuster)
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR
    • File Inclusion
Powered by GitBook
On this page
  • Enumeration
  • SMB
  • Port Scanning
  • Enum4Linux
  • Types of SMB Exploit
  • Download share recursively
  • Nmap scripts
  1. Complete Begginer

smb

PreviousnmapNextTelnet

Last updated 7 months ago

SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. [source]

The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.

Clients can send commands (SMBs) to the server to access shares, open files, and read/write files over the network.

Since Windows 95, Microsoft Windows has supported the SMB protocol for clients and servers. Samba, a server for Unix systems, also supports SMB.

Enumeration

Enumeration involves gathering information on a target to identify potential attack vectors for exploitation. It is crucial for successful attacks, as it helps avoid ineffective exploits. This process can collect usernames, passwords, network details, hostnames, application data, and services valuable to attackers.

SMB

SMB share drives on a server allow users to view or transfer files. They can be a valuable starting point for attackers seeking sensitive information, as these shares may contain unexpected data.

Port Scanning

The first step of enumeration is to conduct a port scan to gather information about the target machine's services, applications, structure, and operating system.

Enum4Linux

Enum4linux is a tool for enumerating SMB shares on Windows and Linux systems, serving as a wrapper for Samba tools.

enum4linux [options] ip

TAG
FUNCTION

-U

get userlist

-M

get machine list

-N

get namelist dump (different from -U and -M)

-S

get sharelist

-P

get password policy information

-G

get group and member list

-a

all of the above (full basic enumeration)

Types of SMB Exploit

While vulnerabilities like CVE-2017-7494 can enable remote code execution via SMB, misconfigurations are often the primary entry point. In this case, we'll exploit anonymous SMB share access, a common misconfiguration that can provide information leading to a shell.

from out enumeration stage we would know some usefull data like The SMB share location and The name of an interesting SMB share.

To access an SMB share, we will use SMBClient, part of the default Samba suite.

smbclient //[IP]/[SHARE] -U [username] -p [port]

the default smb port is 139 or 445 which we would get from port scanning.

an smb share may be configured to allow anonymous access using the username "Anonymous" without supplying a password.

Download share recursively

smbget -R smb://10.10.98.233/anonymous

Nmap scripts

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [ip]