Quick SMB cheatsheet

Learnt from tryhackme's

Port 139

NetBIOS stands for Network Basic Input Output System. It is a software protocol that allows applications, PCs, and Desktops on a local area network (LAN) to communicate with network hardware and to transmit data across the network. Software applications that run on a NetBIOS network locate and identify each other via their NetBIOS names. A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Two applications start a NetBIOS session when one (the client) sends a command to “call” another client (the server) over TCP Port 139. (extracted from here)

Port 445

While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.

For instance, on Windows, SMB can run directly over TCP/IP without the need for NetBIOS over TCP/IP. This will use, as you point out, port 445. On other systems, you’ll find services and applications using port 139. This means that SMB is running with NetBIOS over TCP/IP**.** (extracted from here)

Basic Enumeration

This would be updated as I keep learning new things

nbtscan 192.168.1.17

nmap -p139,445 --script=smb-enum-shares <host>

nmap -p139,445 -sC -Pn <host>

smbmap -H <host>

smbmap -H <host> -u <username> -p <password> (Would show other shares that are private only)

smbclient -L <host>

smbclient -L <host>%<pass> (Would show other shares that are private only) Eg: smbclient -L harsh%1234

net view \\<host> /All (Windows only)

use auxiliary/scanner/smb/smb_enumshares (metasploit)

use auxiliary/scanner/smb/smb_lookupsid (metasploit- finds other users present using existing login:pass)

Vulnerability Scanning Script

nmap --script smb-vuln* <ip>

Listing files in a directory

smbmap -H <host> -r

Login

To login to SMB share:

1) Anonymous share login:

smbclient --no-pass //<host>/<Shared Folder>

2) Share login:

smbclient //<IP>/<Shared Folder> -U <username>%<password>

smbclient -U <username> --pw-nt-hash //<host> (enables to pass the hash for login password (pass the hash attack))

3) Null Session:

smbclient -U '%' -N \\\<host>\\<Shared Folder>

4) Mount Shares:

mount -t cifs //<host>/<share> /mnt/share

mount -t cifs -o "username=user,password=password" //<host>/<share> /mnt/share

PreviousNetwork PentestNextSSH keypair basics

Last updated