Server Message Block (SMB) is a communication protocol created for providing shared access to files and printers across nodes on a network. Initially, it was designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139 and UDP ports 137 and 138. However, with Windows 2000, Microsoft added the option to run SMB directly over TCP/IP on port 445 without the extra NetBIOS layer. Nowadays, modern Windows operating systems use SMB over TCP but still support the NetBIOS implementation as a failover.

Enumeration

#Null Session
smbclient -N -L //10.129.14.128

smbmap -H 10.129.14.128

#Using smbmap with -r or -R (recursive) option to browse directories:
smbmap -H 10.129.14.128 -r notes

smbmap -H 10.129.14.128 --download "notes\\note.txt"
smbmap -H 10.129.14.128 --upload test.txt "notes\\test.txt"

Remote Procedure Call (RPC)

Cheat sheet for rpcclient

https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf

https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html —→ Man page

Apart from enumeration, we can use RPC to make changes to the system, such as:

• Change a user's password.
• Create a new domain user.
• Create a new shared folder.

rpcclient -U'%' 10.10.110.17

Enum4linux

The original tool was written in Perl and rewritten by Mark Lowe in Python.

./enum4linux-ng.py 10.10.10.10 -A -C

https://github.com/byt3bl33d3r/CrackMapExec

Password Spraying

crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth --continue-on-success