445 SMB
username enum:
smbmap -H 10.129.1.225
Looks like we can read from general and Development.
smbmap -H 10.129.1.225 -R --depth 5
Running this will go in those directories and discover files.
smbclient //10.129.1.225/general
and download the file (get creds.txt)
creds.txt content
Share with space
Brute Forcing SMB
Create a user name list and a password list after initial enumeration. i.e) use cewl or hashcat for password list.
Utilizing rpcclient to login
once you get in you can perform these commands
Using cme winrm to check if it gets pwned > evil-winrm to get a shell.
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)
only need to change the rhost to exploit it.
Changing smb password with smbpasswd
if you get the status (NT_STATUS_PASSWORD_MUST_CHANGE) after entering correct credentials, you can set a new password with this command.
OLD SMB SERVICE?
Last updated