# 139, 445 - SMB

## <mark style="color:red;">Nmap</mark>

```bash
nmap -v -p 139,445 $targetip-254 -oG smb.txt 
```

search for nmap NSE scripts

<pre class="language-bash"><code class="lang-bash">ls -1 /usr/share/nmap/scripts/smb*
    /usr/share/nmap/scripts/smb2-capabilities.nse
<strong>    /usr/share/nmap/scripts/smb2-security-mode.nse
</strong>    /usr/share/nmap/scripts/smb2-time.nse
<strong>    ...
</strong></code></pre>

### <mark style="color:blue;">Nmap NSE script</mark>

```sh
nmap --script "safe or smb-enum-*" -p 139,445 $targetip
```

{% hint style="info" %}
NSE SMB enumeration scripts:

* `smb-enum-domains`
* `smb-enum-groups`
* `smb-enum-processes`
* `smb-enum-services`
* `smb-enum-sessions`
* `smb-enum-shares`
* `smb-enum-users`
  {% endhint %}

```bash
nmap -v -p 139, 445 --script=smb-os-discovery $targetip-254
```

Unsafe option. scripts will crash the vulnerable system:

```bash
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 $targetip
```

Search for known vulnerabilities:

```bash
nmap --script smb-vuln* -p 139,445 -oN smb-vuln-scan $targetip
```

## <mark style="color:red;">**Nbtscan**</mark>

```bash
nbtscan -r $targetip/24
```

## <mark style="color:red;">**Enum4linux**</mark>

Run everything, runs all options apart from dictionary based share name guessing:

```sh
enum4linux -a $targetip
```

With credentials:

```sh
enum4linux -a -u "<username>" -p "<passwd>" $targetip
```

<details>

<summary>Parameters</summary>

* `-a`: Do all simple enumeration (-U -S -G -P -r -o -n -i).
* `-u <user>`: specify username to use.
* `-p <pass>`: specify password to use.

</details>

Other **enum4linux** commands:

```bash
#Verbose mode, shows the underlying commands being executed by enum4linux
enum4linux -v $targetip
#Lists usernames, if the server allows it - (RestrictAnonymous = 0)
enum4linux -U $targetip
#If you've managed to obtain credentials, you can pull a full list of users regardless of the RestrictAnonymous option
enum4linux -u administrator -p password -U $targetip
#Pulls usernames from the default RID range (500-550,1000-1050)
enum4linux -r $targetip
#Pull usernames using a custom RID range
enum4linux -R 600-660 $targetip
#Lists groups. if the server allows it, you can also specify username -u and password -p
enum4linux -G $targetip
#List Windows shares, again you can also specify username -u and password -p
enum4linux -S $targetip
#Perform a dictionary attack, if the server doesn't let you retrieve a share list
enum4linux -s shares.txt $targetip
#Pulls OS information using smbclient, this can pull the service pack version on some versions of Windows
enum4linux -o $targetip
#Pull information about printers known to the remove device.
enum4linux -i $targetip
```

## <mark style="color:red;">Smbclient / smbmap / crackmapexec</mark>

### <mark style="color:blue;">List shared folders</mark>

It is always recommended to look if you can access to anything, if you don't have credentials try using **null** **credentials/guest user**.

```bash
smbclient --no-pass -L //$targetip # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //$targetip #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash

smbmap -H $targetip [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H $targetip [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H $targetip [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H $targetip [-P <PORT>] #Recursive list

crackmapexec smb $targetip -u '' -p '' --shares #Null user
crackmapexec smb $targetip -u 'asdasdasd' -p 'asdasdasd'
crackmapexec smb $targetip -u 'username' -p 'password' --shares #Guest user
crackmapexec smb $targetip -u 'username' -H '<HASH>' --shares #Guest user
```

### <mark style="color:blue;">**Connect/List a shared folder**</mark>

```bash
#Connect using smbclient
smbclient --no-pass \\\\$targetip\\<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //$targetip 
#If you omit the pwd, will be asked. 
#With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls'  to list recursively with smbclient

#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H $targetip [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H $targetip [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H $targetip [-P <PORT>] #Pass-the-Hash
```

### <mark style="color:blue;">Mount Shares</mark> <a href="#mount-shares-mount-smb" id="mount-shares-mount-smb"></a>

```sh
mount -t cifs -o username=user,password=password //$targetip/Share /mnt/share
```

### <mark style="color:blue;">Download Files</mark> <a href="#download-files" id="download-files"></a>

Create a tar file of the files under `users/docs`.

```sh
smbclient //$targetip/Share "" -N -Tc backup.tar users/docs
```

## <mark style="color:red;">Possible Errors</mark>

### <mark style="color:blue;">SMB Protocol Negotiation Failed</mark> <a href="#smb-protocol-negotiation-failed" id="smb-protocol-negotiation-failed"></a>

Normally SMB takes care of choosing the appropriate protocol for each connection. However, if the offered protocols are out of client’s default range, it will return an error message like this:

```sh
Protocol negotiation failed: NT_STATUS_IO_TIMEOUT
```

### <mark style="color:blue;">Solution</mark> <a href="#solution" id="solution"></a>

Edit the connection protocol range in the client configuration file.\
Add `client min protocol` and `client max protocol` settings to `/etc/samba/smb.conf` under `[global]`.

```sh
# /etc/samba/smb.conf
[global]
client min protocol = CORE
client max protocol = SMB3
```