TCP 139, 445: NetBIOS, SMB
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be. There are a number of vulnerabilities associated with leaving this port open.
NetBios services: NETBIOS Name Service (TCP/UDP: 137) NETBIOS Datagram Service (TCP/UDP: 138) NETBIOS Session Service (TCP/UDP: 139)
TCP port 445 is used for direct TCP_IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K_XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP_IP, ports 137, 139 and 138_udp). In Windows 2K_XP, Microsoft added the possibility to run SMB directly over TCP_IP, without the extra layer of NetBT. For this they use TCP port 445.
Related
UDP 137, 138, TCP 139: NetBIOS
Enumeration
nbtscan
sudo nbtscan -r <ip-range>
nmap
Check default SMB ports are open
nmap -p139,445 <ip> --open
List SMB scripts
ls -l /usr/share/nmap/scripts | grep smb
Run all SMB scripts
nmap -p139,445 --script "smb*" --script-timeout 30 -oA nmap_smb <ip>
Run all SMB vuln scripts
nmap -p139,445 --script "smb-vuln*" --script-timeout 30 -oA nmap_smb-vuln <ip>
enum4linux
enum4linux is a tool for enumerating information from Windows and Samba systems
enum4linux -a <ip>
Run this in parallel to grep the samba version
sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'
enum4linux-ng
A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players. GitHub - cddmp/enum4linux-ng
python enum4linux-ng.py -A <ip>
SMBMap
SMBMap is a handy SMB enumeration tool GitHub - ShawnDEvans/smbmap
apt install smbmap
List files on target
smbmap -H <ip> -R --depth 5
Enumerate authenticated
smbmap -d <domain> -u <user> -p <hash:hash or pw> -H <ip>
Find file
smbmap -R <folder> -H <ip> -A Groups.xml -q
Tools
smbclient
FTP-like client to access SMB/CIFS resources on servers
list shares Unauthenticated
smbclient -N -L //<ip>
Authenticated
smbclient -L //<ip> -U <user> -P <pass>
smbclient \\\\$ip\\$share
Mount share
smbclient //<ip>/share
(look for files, containing password
, pwd
, admin
, user
, connect
, etc.)
Download file
get <file>
Pull all files from (readable) share
recurse ON
prompt OFF
mget *
mount
Mount smb share locally
mount -t cifs -o username=<user>,password=<pw> //<ip>/<share> /mnt/<share>
gpp-decrypt
A simple ruby script that will decrypt a given GPP encrypted string.
apt install gpp-decrypt
gpp-decrypt <Groups.xml-cpassword>
smbexec
A rapid psexec style attack with samba tools
grab password hashes from domain controller
./smbexec
-> 3 "obain hashes" -> 2 "domain controllers"
crackmapexec
A swiss army knife for pentesting networks GitHub - byt3bl33d3r/CrackMapExec
Display help (smb)
cme smb --help
Using Credentials, NULL Sessions, PtH Attacks
cme smb <ip> -u <user> -H <hash>
null sessions
Pre Windows 2003, XP SP2
rpcclient -U "" <ip>
-> Enter empty password
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
Metasploit
smb version
Get samba version
use auxiliary/scanner/smb/smb_version
psexec
use auxiliary/admin/smb/psexec_command
Last updated