11 SMB Part 1

TCP ports 139, 445

Nmap Scripts make use of OS discovery and the various SMB enumeration scripts in particular to chcek for know SMB protocol vulnerabilities, you can invoke one of the nmap smb-vuln scripts e.g. nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.201

View Shares

smbclient -L //<hostname> 
smbclient -L //<hostname> -U% 

Connect to Shares

smbclient //<hostname>/<share> -U<username>%<password> 

Download everything

smb: \> recurse ON 
smb: \> prompt OFF 
smb: \> mget * 

smbmap

smbmap -H lists file shares and permissions there are also many other uses for the tool see the help page for more info

smbmap -R -H recursively list all files in folders in a share located on a specific system

smbmap -R Replication -H 10.10.10.100 -A Groups.xml -q download a file from the share

*** It does not download the file to the current directory 
    it's easiest to identify where it is stored by using find or locate 
    e.g. updatedb; locate Groups.xml 
    e.g. find / -name *Groups.xml 2>/dev/null

smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100

Metasploit

auxiliary/scanner/smb/smb_version  
    enumerate smb version 

Enumerate SMB users

python3 /opt/impacket/examples/lookupsid.py <username>:<password>@<ip address or hostname> 

root@kali:/opt/impacket/examples# python3 lookupsid.py hazard:stealth1agent@10.10.10.149 Impacket v0.9.22.dev1+20201112.141202.d1ced941 - Copyright 2020 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.149 
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc] 
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 
500: SUPPORTDESK\Administrator (SidTypeUser) 
501: SUPPORTDESK\Guest (SidTypeUser) 
503: SUPPORTDESK\DefaultAccount (SidTypeUser) 
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) 
513: SUPPORTDESK\None (SidTypeGroup) 
1008: SUPPORTDESK\Hazard (SidTypeUser) 
1009: SUPPORTDESK\support (SidTypeUser) 
1012: SUPPORTDESK\Chase (SidTypeUser) 
1013: SUPPORTDESK\Jason (SidTypeUser)