HackSheet
Protocolo SMB
NMAP
- smb-protocols
nmap -p445 --script smb-protocols [target] - smb-security-mode
nmap -p445 --script smb-security-mode [target] - smb-os-discovery
nmap -p445 --script smb-os-discovery [target] - smb-enum-sessions
nmap -p445 --script smb-enum-sessions [target] - smb-enum-shares
nmap -p445 --script smb-enum-shares [target] - smb-enum-sessions & script-args
nmap -p445 --script smb-enum-sessions --script-args smbusername=[user name],smbpassword=[password] [target] - smb-enum-shares & script-args
nmap -p445 --script smb-enum-shares --script-args smbusername=[user name],smbpassword=[password] [target] - smb-enum-users & script-args
nmap -p445 --script smb-enum-users --script-args smbusername=[user name],smbpassword=[password] [target] - smb-server-stats & script-args
nmap -p445 --script smb-server-stats --script-args smbusername=[user name],smbpassword=[password] [target] - smb-enum-domains & script-args
nmap -p445 --script smb-enum-domains --script-args smbusername=[user name],smbpassword=[password] [target] - smb-enum-groups & script-args
nmap -p445 --script smb-enum-groups --script-args smbusername=[user name],smbpassword=[password] [target] - smb-enum-services & script-args
nmap -p445 --script smb-enum-services --script-args smbusername=[user name],smbpassword=[password] [target] - smb-enum-shares,smb-ls & script-args
nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=[user name],smbpassword=[password] [target]
SMBMap
- Null session
smbmap -u guest -p “” -d . -H [target] - user session
smbmap -u [username] -p [password] -d . -H [target] - comando ipconfig
smbmap -H [target] -u [username] -p [password] -x 'ipconfig' - comando ls
smbmap -H [target] -u [username] -p [password] -L - Conectar a una unidad de almacenamiento
smbmap -H [target] -u [username] -p [password] -r 'C$' - Subir un archivo
smbmap -H [target] -u [username] -p [password] --upload '[/path/file]' 'C$\file'
Metasploit
- SMB version
use auxiliary/scanner/smb/smb_versionoptionsset rhosts [target]optionsrunexploit - Probar un inicio de sesión SMB en una variedad de máquinas
use auxiliary/scanner/smb/smb_loginauxiliary(/scanner/smb/smb_ login) > optionsauxiliary(/scanner/smb/smb_ login) > set rhosts [target]auxiliary(/scanner/smb/smb_ login) > set pass_file /usr/share/wordlists/metasploit/unix_passwords.txtauxiliary(/scanner/smb/smb_ login) > set smbuser [target]auxiliary(/scanner/smb/smb_ login) > run - Si entramos un SMB, tenemos una posibilidad de que podamos
entrar en otros servicios que se canalizan a través de pipes (tuberías)
use auxiliary/scanner/smb/pipe_auditorset smbuser [user]set smbpass [passwd]rhosts [target]optionsrun
Nmblookup
- Utiliza protocolo NetBIOS:
nmblookup -A [target]
Smbclient
- conectarnos a una session Null mediante smbclient:
smbclient -L [target] -N - conectarnos a una session Null mediante smbclient:
smbclient //[target]/[carpet] -N
Rpcclient
- cuando tenemos session Null podemos conectarnos mediante rpcclient :
rpcclient -U “” -N [target] - Buscar nombres y administradores:
rpcclient $> lookupnnames admin - Enumerar usuarios :
rpcclient $> enumdomusers
Enum4linux
- Enumerar el sistema operativo:
enum4linux -o [target] - Enumerar los usuarios:
enum4linux -U [target] - Enumerar carpetas compartidas:
enum4linux -S [target] - Enumerar los grupos:
enum4linux -G [target] - Enumerar los servicios para imprimir:
enum4linux -i [target] - Obtener una lista de SID para diferentes usuarios:
enum4linux -r -u [“user”] -p [“password”] [target]