# 445 - SMB

### Table of Contents

* [Enumerating Host](#enumerating-host)
* [List Shares](#list-shares)
* [Enumerating Files](#enumerating-files)
* [Enumerating Users](#enumerating-files)
* [Kerberos Authentication](#kerberos-authentication)
* [Checking For Vulnerabilities](#checking-for-vulnerabilities)

### Enumerating Host

{% code overflow="wrap" %}

```bash
# Provides the hostname, the domain, the OS version, and details about SMB version and if signing is enabled.
netexec smb 10.10.10.100
```

{% endcode %}

### List Shares

```bash
# List shares without a password(No Authentication) 
smbmap -H 10.10.10.100
smbclient -N -L //10.10.10.100
netexec smb 10.10.10.100 --shares
netexec smb 10.10.10.100 --shares -u 'guest' -p ''
netexec smb 10.10.10.100 --shares -u 'fake_user' -p 'fake_pass'

# List shares with a username and password
smbmap -H 10.10.10.100 -u user1 -p password1
smbclient //10.10.10.100/share1 -U user1%password1
netexec smb 10.10.10.100 --shares -u 'user1' -p 'password1'
```

### Enumerating Files

```bash
# Get to share1 with NULL authentication
smbclient -N //10.10.10.100/share1

# Get to share1 with authentication
smbclient -U user1%password1 //10.10.10.100/share1

# Run through all the shares and collect data about all the files.
netexec smb 10.10.10.100 -u user1 -p '' -M spider_plus
```

### Enumerating Users

* **SID/RID cycling** is an enumeration technique used in Windows/Active Directory environments where an attacker Knows the **Domain SID** and cycles through possible **RIDs** appended to that SID to resolve it. This works even when Anonymous (null session) access is allowed OR The attacker has **valid but low-privilege creds.**

  ```bash
  # Use credentials to perform a RID cycling attack.
  impacket-lookupsid candy.LOCAL/user1:password1@10.10.10.100

  # Use NULL auth to perform a RID cycling attack.
  netexec smb 10.10.10.100 -u guest -p '' --rid-brute
  impacket-lookupsid -no-pass toffee.bth@10.10.10.100
  ```
* `impacket-samrdump` uses DCE/RPC over SMB and uses the SAMR RPC interface.\
  The SAM has the **Security Account Manager (SAM) Remote Protocol**, which supports management functionality for an account store or directory containing users and groups. The goal of the protocol is to enable IT administrators and users to manage users, groups, and computers.

  <pre class="language-bash" data-overflow="wrap"><code class="lang-bash"># Use the SAM remote interface to enumerate users as well as basic information about each user
  # SMB (445)
  # └── DCE/RPC
  #      └── SAMR
  impacket-samrdump candy.local/user1:password1@10.10.10.100
  </code></pre>
* `rpcclient` lets you manually issue RPC calls. It uses various RPC interfaces depending on the command. On port 445, Windows exposes many RPC Services. **SAMR** is one of them which focuses on user and group enumeration. Because `rpcclient` is literally an **RPC client for the SAMR protocol** as wel&#x6C;**,** we can use this to enumerate info like users and groups.<br>

  ```bash
  # SMB (445)
  # └── DCE/RPC
  #     ├── SAMR (Eg: queryuser)
  #     ├── LSARPC (Eg: lsaquery)
  #     ├── SRVSVC
  #     └── NETLOGON

  # Use NULL auth.
  rpcclient -U "" -N 10.10.10.100

  # Use creds for auth.
  rpcclient -U user1%password1 10.10.10.100

  # Once in, use the below commands.
  querydominfo  # This command retrieves the domain, server, users on the system
  enumdomusers  # Check users in the domain
  enumdomgroups # Check groups in the domain
  querygroup <RID> # Get info about a group
  querygroupmem <RID> # Get RID's of users in group
  queryuser <username> # Get info about a user
  ```

### Kerberos Authentication

Some environments will have NTLM authentication disabled, forcing all auth to occur over Kerberos. **smbclient** and **smbmap** normally authenticate using **NTLM over SMB** by default.

```bash
# Use impacket's smbclient with the -k to use Kerberos and -no-pass to use tickets
impacket-smbclient 'toffee.bth/user1:password1@dc.domain.bth' -k -no-pass

# Get a TGT and connect with smbclient
kinit user@candy.LOCAL && smbclient //dc1.candy.local/NETLOGON -k
```

### Checking For Vulnerabilities

```bash
# Run all smb vulnerability scan scripts on SMB ports
nmap --script smb-vuln* -p 139,445 10.10.10.100
```

### References

1. <https://0xdf.gitlab.io/cheatsheets/smb-enum>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/protocol-enumeration/445-smb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.