Note

It typically runs on ports 137, 138, 139 (SMB) or 445 (CIFS).

Nmap scan

To check for SAMBA version run this Nmap scan:

nmap -sCV -T4 10.129.199.212 -p139,445
 
[redacted]
139/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 4
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 4

HTB Cheatsheet (Basic Commands)

CommandDescription
smbclient -N -L //<FQDN/IP>Null session authentication on SMB.
smbclient //<FQDN/IP>/<share>Connect to a specific SMB share.
rpcclient -U "" <FQDN/IP>Interaction with the target using RPC.
samrdump.py <FQDN/IP>Username enumeration using Impacket scripts.
smbmap -H <FQDN/IP>Enumerating SMB shares.
crackmapexec smb <FQDN/IP> --shares -u '' -p ''Enumerating SMB shares using null session authentication.
enum4linux-ng.py <FQDN/IP> -ASMB enumeration using enum4linux.
get filenameDownload a file.
!<command>Execute a command (in your machine) without leaving the current SMB session.

RPCClient Enumeration

QueryDescription
srvinfoServer information.
enumdomainsEnumerate all domains that are deployed in the network.
querydominfoProvides domain, server, and user information of deployed domains.
netshareenumallEnumerates all available shares.
netsharegetinfo <share>Provides information about a specific share.
enumdomusersEnumerates all domain users.
queryuser <RID>Provides information about a specific user.
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name|user_rid|group_rid" && echo "";doneBrute force user RIDs
Python script fromย Impacketย calledย samrdump.py โ†’ samrdump.py 10.129.14.128Alternative to bruteforce user RIDs.

SMBmap

SMBmap

CommandDescription
smbmap -H 10.129.14.128Basic command.

CrackMapExec

CrackMapExec

CommandDescription
crackmapexec smb 10.129.14.128 --shares -u '' -p ''Basic command.

Enum4Linux-ng

Enum4Linux-ng

CommandDescription
./enum4linux-ng.py 10.129.14.128 -ABasic command.