Table of Contents

  1. Basic Usage
    1. Overview
    2. Command Syntax
    3. Common Tools
  2. Enumeration Techniques
    1. Basic Share Enumeration
    2. File and Directory Analysis
    3. User Enumeration
  3. Advanced Techniques
    1. Recursive Enumeration
    2. Scripting and Automation
  4. Combining Tools
    1. SMB and Nmap
    2. CrackMapExec with Other Tools
  5. Monitoring and Logging
    1. Real-time Monitoring
    2. Logging and Output
  6. Glossary

Basic Usage

Overview

The Server Message Block (SMB) protocol enables sharing of files, directories, and network resources like printers across a network. This guide focuses on enumerating and analyzing SMB services for ethical penetration testing.

Command Syntax

Common Syntax:

[tool-name] [options] [target]
  • [tool-name]: The tool used (e.g., smbclient, rpcclient, nmap).
  • [options]: Flags or arguments specifying behavior.
  • [target]: The IP address or domain name of the SMB server.

Common Tools

1. smbclient

  • Use for browsing and interacting with SMB shares.

  • Example:

      smbclient //TARGET_IP/SHARE_NAME -U "user"

2. rpcclient

  • Retrieve detailed SMB-related information.

  • Example:

      rpcclient -U "user" TARGET_IP

3. CrackMapExec

  • Automates SMB enumeration.

  • Example:

      crackmapexec smb TARGET_IP --shares -u "user" -p "password"

Enumeration Techniques

Basic Share Enumeration

Using smbclient

  • Command:

      smbclient -L //TARGET_IP -N

  • Output shows available shares:

      Sharename       Type      Comment
  ---------       ----      -------
  print$          Disk      Printer Drivers
  shared          Disk      General Share
  IPC$            IPC       IPC Service

Using rpcclient

  • Command:

      rpcclient -U "" TARGET_IP

  • Query shares:

      netshareenumall

File and Directory Analysis

Directory Browsing

  • Command:

      smbclient //TARGET_IP/shared -N

  • Navigation:

    • ls: List contents.
    • cd [folder]: Change directory.

Download Files

  • Command:

      get [file-name]

User Enumeration

Using rpcclient

  • Enumerate users:

      enumdomusers

  • Get user details:

      queryuser [RID]

Advanced Techniques

Recursive Enumeration

Automate enumeration of subdirectories:

  • Command:

      smbmap -H TARGET_IP --depth 2

Scripting and Automation

Bash Loop with rpcclient

  • Example:

      for i in {500..550}; do
      rpcclient -U "" TARGET_IP -c "queryuser 0x$(printf '%x' $i)"
  done

Combining Tools

SMB and Nmap

  1. Scan Open Ports:

     nmap -p 139,445 -sC -sV TARGET_IP

  2. Feed into smbclient:

     smbclient -L //TARGET_IP -N

CrackMapExec with Other Tools

  • Example:

      crackmapexec smb TARGET_IP --shares -u "user" -p "password" | tee results.txt

Monitoring and Logging

Real-time Monitoring

  • Use tee:

      smbclient //TARGET_IP/shared -N | tee output.log

Logging and Output

  • Save output to file:

      crackmapexec smb TARGET_IP --shares -u "user" -p "password" -o results.txt

Glossary

Term Definition
SMB Protocol for sharing resources over a network.
Samba Open-source implementation of SMB for Unix/Linux.
smbclient Command-line tool for interacting with SMB shares.
rpcclient Tool for querying SMB services and objects.
RID Relative Identifier for users and groups in Windows.
CrackMapExec Automation tool for SMB enumeration and exploitation.
Share Directory or file system exported for access via SMB.