Protocolo SMB
NMAP
- smb-protocols
nmap -p445 --script smb-protocols [target]
- smb-security-mode
nmap -p445 --script smb-security-mode [target]
- smb-os-discovery
nmap -p445 --script smb-os-discovery [target]
- smb-enum-sessions
nmap -p445 --script smb-enum-sessions [target]
- smb-enum-shares
nmap -p445 --script smb-enum-shares [target]
- smb-enum-sessions & script-args
nmap -p445 --script smb-enum-sessions --script-args smbusername=[user name],smbpassword=[password] [target]
- smb-enum-shares & script-args
nmap -p445 --script smb-enum-shares --script-args smbusername=[user name],smbpassword=[password] [target]
- smb-enum-users & script-args
nmap -p445 --script smb-enum-users --script-args smbusername=[user name],smbpassword=[password] [target]
- smb-server-stats & script-args
nmap -p445 --script smb-server-stats --script-args smbusername=[user name],smbpassword=[password] [target]
- smb-enum-domains & script-args
nmap -p445 --script smb-enum-domains --script-args smbusername=[user name],smbpassword=[password] [target]
- smb-enum-groups & script-args
nmap -p445 --script smb-enum-groups --script-args smbusername=[user name],smbpassword=[password] [target]
- smb-enum-services & script-args
nmap -p445 --script smb-enum-services --script-args smbusername=[user name],smbpassword=[password] [target]
- smb-enum-shares,smb-ls & script-args
nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=[user name],smbpassword=[password] [target]
SMBMap
- Null session
smbmap -u guest -p “” -d . -H [target]
- user session
smbmap -u [username] -p [password] -d . -H [target]
- comando ipconfig
smbmap -H [target] -u [username] -p [password] -x 'ipconfig'
- comando ls
smbmap -H [target] -u [username] -p [password] -L
- Conectar a una unidad de almacenamiento
smbmap -H [target] -u [username] -p [password] -r 'C$'
- Subir un archivo
smbmap -H [target] -u [username] -p [password] --upload '[/path/file]' 'C$\file'
Metasploit
- SMB version
use auxiliary/scanner/smb/smb_version
options
set rhosts [target]
options
run
exploit
- Probar un inicio de sesión SMB en una variedad de máquinas
use auxiliary/scanner/smb/smb_login
auxiliary(/scanner/smb/smb_ login) > options
auxiliary(/scanner/smb/smb_ login) > set rhosts [target]
auxiliary(/scanner/smb/smb_ login) > set pass_file /usr/share/wordlists/metasploit/unix_passwords.txt
auxiliary(/scanner/smb/smb_ login) > set smbuser [target]
auxiliary(/scanner/smb/smb_ login) > run
- Si entramos un SMB, tenemos una posibilidad de que podamos
entrar en otros servicios que se canalizan a través de pipes (tuberías)
use auxiliary/scanner/smb/pipe_auditor
set smbuser [user]
set smbpass [passwd]
rhosts [target]
options
run
Nmblookup
- Utiliza protocolo NetBIOS:
nmblookup -A [target]
Smbclient
- conectarnos a una session Null mediante smbclient:
smbclient -L [target] -N
- conectarnos a una session Null mediante smbclient:
smbclient //[target]/[carpet] -N
Rpcclient
- cuando tenemos session Null podemos conectarnos mediante rpcclient :
rpcclient -U “” -N [target]
- Buscar nombres y administradores:
rpcclient $> lookupnnames admin
- Enumerar usuarios :
rpcclient $> enumdomusers
Enum4linux
- Enumerar el sistema operativo:
enum4linux -o [target]
- Enumerar los usuarios:
enum4linux -U [target]
- Enumerar carpetas compartidas:
enum4linux -S [target]
- Enumerar los grupos:
enum4linux -G [target]
- Enumerar los servicios para imprimir:
enum4linux -i [target]
- Obtener una lista de SID para diferentes usuarios:
enum4linux -r -u [“user”] -p [“password”] [target]