d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Related
  • Enumeration
  • nbtscan
  • nmap
  • enum4linux
  • enum4linux-ng
  • SMBMap
  • Tools
  • smbclient
  • mount
  • gpp-decrypt
  • smbexec
  • crackmapexec
  • null sessions
  • Metasploit
  • smb version
  • psexec
Edit on GitHub
  1. Services
  2. TCP

TCP 139, 445: NetBIOS, SMB

PreviousTCP 135: MSRPCNextTCP 143, 993: IMAP(S)

Last updated 3 years ago

NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be. There are a number of vulnerabilities associated with leaving this port open.

NetBios services: NETBIOS Name Service (TCP/UDP: 137) NETBIOS Datagram Service (TCP/UDP: 138) NETBIOS Session Service (TCP/UDP: 139)

TCP port 445 is used for direct TCP_IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K_XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP_IP, ports 137, 139 and 138_udp). In Windows 2K_XP, Microsoft added the possibility to run SMB directly over TCP_IP, without the extra layer of NetBT. For this they use TCP port 445.

Related

Enumeration

nbtscan

sudo nbtscan -r <ip-range>

nmap

Check default SMB ports are open

nmap -p139,445 <ip> --open

List SMB scripts

ls -l /usr/share/nmap/scripts | grep smb

Run all SMB scripts

nmap -p139,445 --script "smb*" --script-timeout 30 -oA nmap_smb <ip>

Run all SMB vuln scripts

nmap -p139,445 --script "smb-vuln*" --script-timeout 30 -oA nmap_smb-vuln <ip>

enum4linux

enum4linux is a tool for enumerating information from Windows and Samba systems

enum4linux -a <ip>

Run this in parallel to grep the samba version

sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'

enum4linux-ng

python enum4linux-ng.py -A <ip>

SMBMap

apt install smbmap

List files on target

smbmap -H <ip> -R --depth 5

Enumerate authenticated

smbmap -d <domain> -u <user> -p <hash:hash or pw> -H <ip>

Find file

smbmap -R <folder> -H <ip> -A Groups.xml -q

Tools

smbclient

FTP-like client to access SMB/CIFS resources on servers

list shares Unauthenticated

smbclient -N -L //<ip>

Authenticated

smbclient -L //<ip> -U <user> -P <pass>
smbclient \\\\$ip\\$share

Mount share

smbclient //<ip>/share

(look for files, containing password, pwd, admin, user, connect, etc.)

Download file

get <file>

Pull all files from (readable) share

recurse ON
prompt OFF
mget *

mount

Mount smb share locally

mount -t cifs -o username=<user>,password=<pw> //<ip>/<share> /mnt/<share>

gpp-decrypt

A simple ruby script that will decrypt a given GPP encrypted string.

apt install gpp-decrypt
gpp-decrypt <Groups.xml-cpassword>

smbexec

A rapid psexec style attack with samba tools

grab password hashes from domain controller

./smbexec

-> 3 "obain hashes" -> 2 "domain controllers"

crackmapexec

Display help (smb)

cme smb --help
cme smb <ip> -u <user> -H <hash>

null sessions

Pre Windows 2003, XP SP2

rpcclient -U "" <ip>

-> Enter empty password

srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall

Metasploit

smb version

Get samba version

use auxiliary/scanner/smb/smb_version

psexec

use auxiliary/admin/smb/psexec_command

A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players.

SMBMap is a handy SMB enumeration tool

A swiss army knife for pentesting networks

->

UDP 137, 138, TCP 139: NetBIOS
GitHub - cddmp/enum4linux-ng
GitHub - ShawnDEvans/smbmap
GitHub - brav0hax/smbexec
GitHub - 404NetworkError/smbexec at fixes
GitHub - byt3bl33d3r/CrackMapExec
SMB Command Reference
Using Credentials, NULL Sessions, PtH Attacks