0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Merge pull request #749 from noraj/patch-1 

pentesting-smb: add From Windows / no third-party tools
This commit is contained in:
Carlos Polop 2023-12-04 09:20:43 +01:00 committed by GitHub
parent 5ae3f2da66 b7996be56b
commit 4704e7d368
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
network-services-pentesting/pentesting-smb.md
View File

@ -136,8 +136,8 @@ rpcclient -U "username%passwd" <IP> #With creds
### Enumerate Users, Groups & Logged On Users
This info should already being gathered from enum4linux and enum4linux-ng
# This info should already being gathered from enum4linux and enum4linux-ng
```bash
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
@ -151,16 +151,19 @@ enumdomgroups
```
### Enumerate local users
[Impacket](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py)
```bash
lookupsid.py -no-pass hostname.local
```
Oneliner
```bash
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```
### Metasploit - Enumerate local users
```bash
use auxiliary/scanner/smb/smb_lookupsid
@ -268,6 +271,40 @@ smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BA
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
```
### **Enumerate shares from Windows / without third-party tools**
PowerShell
```powershell
# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
# Retrieves the SMB shares on a remote computer.
get-smbshare -CimSession "<computer name or session object>"
# Retrieves the connections established from the local SMB client to the SMB servers.
Get-SmbConnection
```
CMD console
```shell
# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\<ip> /all
```
MMC Snap-in (graphical)
```shell
# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc
```
explorer.exe (graphical), enter `\\<ip>\` to see the available non-hidden shares.
### Mount a shared folder
```bash