Without Credentials

Host Discovery

nmap -sn 192.168.2.0/24

fping -a -g 192.168.2.0/24 2>/dev/null

Scan the network

If we find a vulnerable host we can get easily access to a machine Classic Attacks

# Enumerate smb hosts
cme smb IP/CIDR

# Search smb vulns
nmap -PN --script smb-vuln* -p 139,445 IP

Zone transfer

dig axfr domain@nameserver

Enumerate null session

smbmap -u "" -p "" -H <dc-ip>
smbmap -u "guest" -p "" -H <dc-ip>

To list all drives

smbmap -H -u -p -L

To list contents of C$

smbmap -H -u -p -r 'C$'

To upload files

smbmap -H -u -p --upload '/root/backdoor' 'C$\backdoor'

To download files

smbmap -H -u -p --download 'C$\flag.txt

To execute commands

smbmap -H -u -p -x 'ipconfig',ma

Enumerate null session

smbclient -L <ip> -N
smbclient //<ip>/public -N

Enumerate with credentials

smbclient -L <ip> -U <user>
smbclient //<ip>/public -U <user>k

Enumerate null session

enum4linux -a -u "" -p "" <dc-ip>
enum4linux -a -u "guest" -p ""

Enumerate null session

cme smb -u "" -p ""

Enumerate anonymous access

cme smb -u "a" -p ""

Enumerate ldap

ldapsearch -x -h <ip> -s domain

Find User List

cme smb <ip> --users 
cme smb <ip> --users | grep -E '^\s*SMB\s' | awk '{print $5}'

crackmapexec smb <ip> -u "" -p "" --rid-brute > valid_ad
crackmapexec smb <ip> -u "guest" -p "" --rid-brute | grep -oP '(?<=: ).*(?= \(SidTypeUser\))' | awk -F'\\\\' '{print $2}' > valid_ad

enum4linux -U <dc-ip> | grep "user"

net rpc group members "Domain Users" -W "<domain>" -I "<ip>" -U "%"

rpcclient -U "" -N IP
rpcclient > enumdomusers

rpcclient -U "" -N -c "enumdomusers" 10.10.10.172 | grep "^user:" | awk '{print $1}' | cut -d: -f2 | sed 's/\[\|\]//g'

python windapsearch.py -u "" --dc-ip 10.10.10.172 -U --admin-objects
python windapsearch.py -u "" --dc-ip 10.10.10.172 -U -m "<group>"

PreviousKnown Vulnerabilities NextClassic Attacks

Last updated 14 days ago

List guest access on smb share

Enumerate null session

smbmap -u "" -p "" -H <dc-ip>
smbmap -u "guest" -p "" -H <dc-ip>

To list all drives

smbmap -H -u -p -L

To list contents of C$

smbmap -H -u -p -r 'C$'

To upload files

smbmap -H -u -p --upload '/root/backdoor' 'C$\backdoor'

To download files

smbmap -H -u -p --download 'C$\flag.txt

To execute commands

smbmap -H -u -p -x 'ipconfig',ma

Enumerate null session

smbclient -L <ip> -N
smbclient //<ip>/public -N

Enumerate with credentials

smbclient -L <ip> -U <user>
smbclient //<ip>/public -U <user>k

Enumerate null session

enum4linux -a -u "" -p "" <dc-ip>
enum4linux -a -u "guest" -p ""

Enumerate null session

cme smb -u "" -p ""

Enumerate anonymous access

cme smb -u "a" -p ""

Find User List

cme smb <ip> --users 
cme smb <ip> --users | grep -E '^\s*SMB\s' | awk '{print $5}'

crackmapexec smb <ip> -u "" -p "" --rid-brute > valid_ad
crackmapexec smb <ip> -u "guest" -p "" --rid-brute | grep -oP '(?<=: ).*(?= \(SidTypeUser\))' | awk -F'\\\\' '{print $2}' > valid_ad

enum4linux -U <dc-ip> | grep "user"

net rpc group members "Domain Users" -W "<domain>" -I "<ip>" -U "%"

rpcclient -U "" -N IP
rpcclient > enumdomusers

rpcclient -U "" -N -c "enumdomusers" 10.10.10.172 | grep "^user:" | awk '{print $1}' | cut -d: -f2 | sed 's/\[\|\]//g'

python windapsearch.py -u "" --dc-ip 10.10.10.172 -U --admin-objects
python windapsearch.py -u "" --dc-ip 10.10.10.172 -U -m "<group>"