Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
SMB Share Enum
sudo nmap --script=smb-enum-shares -p 445 <TARGET>
Sample Output:
$ sudo nmap --script=smb-enum-shares -p 445 10.10.11.207
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-25 04:53 GMT
Nmap scan report for 10.10.11.207
Host is up (0.26s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds
Anonymous Login
smbmap -H <TARGET> --no-banner
Sample Output:
TO-DOsmbmap -H <TARGET> -u null --no-banner
Sample Output:
TO-DO# List known share
smbmap -H <TARGET> -r <SHARE>
Sample Output:
TO-DOsmbclient -N -L \\\\<TARGET>\\
Sample Output:
$ smbclient -N -L \\\\10.10.11.207\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Development Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.207 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
# After found an accessible share
smbclient -N \\\\<TARGET>\\<SHARE>\\
Sample Output:
$ smbclient -N \\\\10.10.11.207\\Development\\
Try "help" to get a list of possible commands.
smb: \>
# Fix: Unable to initialize messaging context. protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
smbclient -N -L \\\\<TARGET>\\ --option='client min protocol=NT1'
Sample Output:
TO-DO# SID brute, if null auth allowed
impacket-lookupsid test@<DOMAIN> -no-pass
Sample Output:
$ impacket-lookupsid test@coder.htb -no-pass
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Brute forcing SIDs at coder.htb
[*] StringBinding ncacn_np:coder.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2608251805-3526430372-1546376444
498: CODER\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CODER\Administrator (SidTypeUser)
---[SNIP]---
1000: CODER\DC01$ (SidTypeUser)
1101: CODER\DnsAdmins (SidTypeAlias)
1102: CODER\DnsUpdateProxy (SidTypeGroup)
1106: CODER\e.black (SidTypeUser)
1107: CODER\c.cage (SidTypeUser)
1108: CODER\j.briggs (SidTypeUser)
1109: CODER\l.kang (SidTypeUser)
1110: CODER\s.blade (SidTypeUser)
2101: CODER\PKI Admins (SidTypeGroup)
3601: CODER\Software Developers (SidTypeGroup)
Authenticated
smbmap -H <TARGET> -u '<USER>' -p '<PASSWORD>' --no-banner
Sample Output:
$ smbmap -H 10.10.11.102 -u 'localadmin' -p 'Secret123' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.11.102:445 Name: 10.10.11.102 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ, WRITE
SYSVOL READ ONLY Logon server share
[*] Closed 1 connections
# List known share
smbmap -H <TARGET> -u '<USER>' -p '<PASSWORD>' -r <SHARE> --depth 2 --no-banner
Sample Output:
$ smbmap -H 10.10.11.102 -u 'localadmin' -p 'Secret123' -r Shared --depth 2 --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.11.102:445 Name: 10.10.11.102 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ, WRITE
./Shared
dr--r--r-- 0 Tue Sep 24 22:04:23 2024 .
dr--r--r-- 0 Tue Sep 24 22:04:23 2024 ..
dr--r--r-- 0 Tue Apr 27 12:09:24 2021 Documents
dr--r--r-- 0 Fri Jul 23 02:14:16 2021 Software
./Shared//Documents
dr--r--r-- 0 Tue Apr 27 12:09:24 2021 .
dr--r--r-- 0 Tue Apr 27 12:09:24 2021 ..
dr--r--r-- 0 Thu Apr 29 22:50:33 2021 Analytics
./Shared//Documents/Analytics
dr--r--r-- 0 Thu Apr 29 22:50:33 2021 .
dr--r--r-- 0 Thu Apr 29 22:50:33 2021 ..
fr--r--r-- 6455 Thu Apr 29 22:50:33 2021 Big 5.omv
fr--r--r-- 2897 Thu Apr 29 22:50:33 2021 Bugs.omv
fr--r--r-- 2142 Thu Apr 29 22:50:33 2021 Tooth Growth.omv
fr--r--r-- 2841 Tue Sep 24 22:03:16 2024 Whatif.omv
./Shared//Software
dr--r--r-- 0 Fri Jul 23 02:14:16 2021 .
dr--r--r-- 0 Fri Jul 23 02:14:16 2021 ..
fr--r--r-- 1447178 Tue Apr 27 05:10:10 2021 7z1900-x64.exe
fr--r--r-- 247215343 Tue Apr 27 05:03:52 2021 jamovi-1.6.16.0-win64.exe
fr--r--r-- 10559784 Tue Apr 27 05:10:08 2021 VNC-Viewer-6.20.529-Windows.exe
SYSVOL READ ONLY Logon server share
[*] Closed 1 connections
# Download file
smbmap -H <TARGET> -u '<USER>' -p '<PASSWORD>' --download '<PATH_TO_FILE>' --no-banner
Sample Output:
$ smbmap -H 10.10.11.102 -u 'localadmin' -p 'Secret123' --download 'Shared\Documents\Analytics\Whatif.omv' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: Shared\Documents\Analytics\Whatif.omv (2841 bytes)
[+] File output to: /home/kali/10.10.11.102-Shared_Documents_Analytics_Whatif.omv
[*] Closed 1 connections
# List files with regex pattern
smbmap -H <TARGET> -u '<USER>' -p '<PASSWORD>' -r <SHARE> --depth 2 -A <FILE_PATTERN> --no-banner
Sample Output:
$ smbmap -H 10.10.11.102 -u 'localadmin' -p 'Secret123' -r Shared --depth 2 -A '.omv' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[*] Performing file name pattern match!
[+] Match found! Downloading: Shared/Documents/Analytics/Big 5.omv
[+] Starting download: Shared\Documents\Analytics\Big 5.omv (6455 bytes)
[+] File output to: /home/kali/10.10.11.102-Shared_Documents_Analytics_Big 5.omv
[+] Match found! Downloading: Shared/Documents/Analytics/Bugs.omv
[+] Starting download: Shared\Documents\Analytics\Bugs.omv (2897 bytes)
[+] File output to: /home/kali/10.10.11.102-Shared_Documents_Analytics_Bugs.omv
[+] Match found! Downloading: Shared/Documents/Analytics/Tooth Growth.omv
[+] Starting download: Shared\Documents\Analytics\Tooth Growth.omv (2142 bytes)
[+] File output to: /home/kali/10.10.11.102-Shared_Documents_Analytics_Tooth Growth.omv
[+] Match found! Downloading: Shared/Documents/Analytics/Whatif.omv
[+] Starting download: Shared\Documents\Analytics\Whatif.omv (2841 bytes)
[+] File output to: /home/kali/10.10.11.102-Shared_Documents_Analytics_Whatif.omv
[*] Closed 1 connections
# Password
smbclient -L \\\\<TARGET>\\ -U '<DOMAIN>/<USER>%<PASSWORD>'
Sample Output:
$ smbclient -L \\\\10.10.11.102\\ -U 'windcorp.htb/localadmin%Secret123'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shared Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.102 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
# NTLM
smbclient -L \\\\<TARGET>\\ -U '<DOMAIN>/<USER>%<HASH>' --pw-nt-hash
Sample Output:
TO-DO# After found an accessible share
smbclient \\\\<TARGET>\\<SHARE>\\ -U '<DOMAIN>/<USER>%<PASSWORD>'
Sample Output:
$ smbclient \\\\10.10.11.102\\Shared\\ -U 'windcorp.htb/localadmin%Secret123'
Try "help" to get a list of possible commands.
smb: \>
# Spidering Shares
nxc smb <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -M spider_plus
Sample Output:
TO-DO# Send a File to the Remote Target
nxc smb <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> --share <SHARE> --put-file <FILE> \\<FILE>
Sample Output:
TO-DO# Get a File From the Remote Target
nxc smb <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> --share <SHARE> --get-file \\<FILE> <FILE>
Sample Output:
TO-DOAuthenticated with Kerberos
impacket-smbclient '<DOMAIN>/<USER>:<PASSWORD>@<TARGET_DOMAIN>' -k -no-pass
Sample Output:
TO-DOGeneral
# List all files in a share
recurse ON
Sample Output:
TO-DOls
Sample Output:
TO-DO# Download all files
mask ""
Sample Output:
TO-DOrecurse ON
Sample Output:
TO-DOprompt OFF
Sample Output:
TO-DOmget *
Sample Output:
TO-DOList Alternate Data Streams (ADS)
allinfo <FILE>
Sample Output:
TO-DO# Example Response
>>>stream: [:Password:$DATA], 15 bytes
Sample Output:
TO-DO# Download specific data stream
get "<FILE>:Password"
Sample Output:
TO-DOMount SMB Share
sudo mount -t cifs //<TARGET>/<SHARE> /mnt
Sample Output:
TO-DOsudo mount -t cifs -o ro,user='<USER>',password='<PASSWORD>' //<TARGET>/<SHARE> /mnt
Sample Output:
$ sudo mount -t cifs -o ro,user='localadmin',password='Secret123' //10.10.11.102/Shared /mnt
$ ls /mnt
Documents Software
Check Write Permission
sudo find . -type d | while read directory; do touch ${directory}/test 2>/dev/null && echo "${directory} - write file" && rm ${directory}/test; mkdir ${directory}/test 2>/dev/null && echo "${directory} - write directory" && rmdir ${directory}/test; done
Sample Output:
TO-DO#Check file type you can write
sudo touch {/mnt/,./}test.{dll,exe,ini,lnk}
Sample Output:
TO-DOChange SMB Password (with Old Password)
smbpasswd -r <TARGET> -U <USER>
Sample Output:
TO-DOEnum GPP (Group Policy Perference)
# Password
nxc smb <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -M gpp_password
Sample Output:
$ nxc smb dc.example.com -u 'apple.seed' -p 'Test1234' -d example.com -M gpp_password
SMB 224.0.0.1 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:example.com) (signing:True) (SMBv1:True)
SMB 224.0.0.1 445 DC [+] example.com\apple.seed:Test1234
SMB 224.0.0.1 445 DC [*] Enumerated shares
SMB 224.0.0.1 445 DC Share Permissions Remark
SMB 224.0.0.1 445 DC ----- ----------- ------
SMB 224.0.0.1 445 DC accounting$
SMB 224.0.0.1 445 DC ADMIN$ Remote Admin
SMB 224.0.0.1 445 DC C$ Default share
SMB 224.0.0.1 445 DC CertEnroll READ Active Directory Certificate Services share
SMB 224.0.0.1 445 DC home$ READ
SMB 224.0.0.1 445 DC IPC$ READ Remote IPC
SMB 224.0.0.1 445 DC it$
SMB 224.0.0.1 445 DC NETLOGON READ Logon server share
SMB 224.0.0.1 445 DC SYSVOL READ Logon server share
SMB 224.0.0.1 445 DC transfer$ READ,WRITE
GPP_PASS... 224.0.0.1 445 DC [+] Found SYSVOL share
GPP_PASS... 224.0.0.1 445 DC [*] Searching for potential XML files containing passwords
SMB 224.0.0.1 445 DC [*] Started spidering
SMB 224.0.0.1 445 DC [*] Spidering .
SMB 224.0.0.1 445 DC //224.0.0.1/SYSVOL/example.com/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml [lastm:'2024-06-04 16:01' size:1135]
SMB 224.0.0.1 445 DC [*] Done spidering (Completed in 35.11537528038025)
GPP_PASS... 224.0.0.1 445 DC [*] Found example.com/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml
GPP_PASS... 224.0.0.1 445 DC [+] Found credentials in example.com/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml
GPP_PASS... 224.0.0.1 445 DC Password: P@ssword2024!
GPP_PASS... 224.0.0.1 445 DC action: U
GPP_PASS... 224.0.0.1 445 DC newName: _local
GPP_PASS... 224.0.0.1 445 DC fullName:
GPP_PASS... 224.0.0.1 445 DC description: local administrator
GPP_PASS... 224.0.0.1 445 DC changeLogon: 0
GPP_PASS... 224.0.0.1 445 DC noChange: 0
GPP_PASS... 224.0.0.1 445 DC neverExpires: 1
GPP_PASS... 224.0.0.1 445 DC acctDisabled: 0
GPP_PASS... 224.0.0.1 445 DC subAuthority: RID_ADMIN
GPP_PASS... 224.0.0.1 445 DC userName: Administrator (built-in)
1. Enum
findstr /S /I cpassword \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\*.xml
Sample Output:
TO-DO2. Decrypt
gpp-decrypt <HASH>
Sample Output:
TO-DO