smbclient -L \\\\192.168.1.101\\
# Will list all shares
smbclient -L \\$ip --option='client min protocol=NT1'
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
smbclient //HOST/PATH -c 'recurse;ls'
# List all files recursly
smbmap
smbmap -H $ip
# Will list all shares with available permissions
smbmap -H $ip -R $sharename
# Recursively list dirs, and files
smbmap -u '' -p '' -H $ip
smbmap -u guest -p '' -H $ip
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
# With credentials
Nmap
nmap --script smb-enum-shares -p 139,445 $ip
Connecting To Shares
smbclient \\\\192.168.1.101\\C$
or
smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1'
smbclient \\\\192.168.1.101\\admin$ -U t-skid
# Connect with valid username and password
# Specify username with -U
Downloading multi files
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work
Enum4Linux
enum4linux -a $ip
enum4linux -u 'guest' -p '' -a $ip
Null session with rpcclient
Rpcclient is a Linux tool used for executing client-side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. Null sessions were enabled by default on legacy systems but have been disabled from Windows XP SP2 and Windows Server 2003. Nowadays it is not very common to encounter hosts that have null sessions enabled, but it is worth a try if you do stumble across one. The connection uses port 445.
rpcclient -U "" <ip>
# You will be asked for a password but leave it blank and press enter to continue.
if IPC$ share is enabled , and have anonymous access we can enumerate users through lookupsid.py
lookupsid.py anonymous@10.10.215.206
Google to see if version is vulnerable
SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename
SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename
smbver.sh
good script to use if none of scanner giving version for smb
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""
You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , Session Setup Andx Response and there you will find smb version :)
smbenum.sh
#!/bin/bash
# smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal
# SECFORCE - Antonio Quina
# All credits to Bernardo Damele A. G. <bernardo.damele@gmail.com> for the ms08-067_check.py script
IFACE="eth0"
if [ $# -eq 0 ]
then
echo "Usage: $0 <IP>"
echo "eg: $0 10.10.10.10"
exit
else
IP="$1"
fi
echo -e "\n########## Getting Netbios name ##########"
nbtscan -v -h $IP
echo -e "\n########## Checking for NULL sessions ##########"
output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`
echo $output
echo -e "\n########## Enumerating domains ##########"
bash -c "echo 'enumdomains' | rpcclient $IP -U%"
echo -e "\n########## Enumerating password and lockout policies ##########"
polenum $IP
echo -e "\n########## Enumerating users ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP
bash -c "echo 'enumdomusers' | rpcclient $IP -U%"
bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt
echo -e "\n########## Enumerating Administrators ##########"
net rpc group members "Administrators" -I $IP -U%
echo -e "\n########## Enumerating Domain Admins ##########"
net rpc group members "Domain Admins" -I $IP -U%
echo -e "\n########## Enumerating groups ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP
echo -e "\n########## Enumerating shares ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP
echo -e "\n########## Bruteforcing all users with 'password', blank and username as password"
hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1
rm /tmp/$IP-users.txt
