第 11 屆 iT 邦幫忙鐵人賽

DAY 17


smbmap 是 Kali linux和 Parrot Security OS 內建的工具,可以使用 smbmap 這個工具來列舉smb服務,可對網域中的所有主機進行掃描。

  • 操作環境 Parrot OS

  • 操作指令 smbmap

usage: smbmap [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD]
              [-s SHARE] [-d DOMAIN] [-P PORT] [-x COMMAND] [-L | -R [PATH] |
              -r [PATH]] [-A PATTERN] [-q] [--depth DEPTH] [-F PATTERN]
              [--search-path PATH] [--download PATH] [--upload SRC DST]
              [--delete PATH TO FILE] [--skip]

SMBMap - Samba Share Enumerator | Shawn Evans -

optional arguments:
  -h, --help            show this help message and exit

Main arguments:
  -H HOST               IP of host
  --host-file FILE      File containing a list of hosts
  -u USERNAME           Username, if omitted null session assumed
  -p PASSWORD           Password or NTLM hash
  -s SHARE              Specify a share (default C$), ex 'C$'
  -d DOMAIN             Domain name (default WORKGROUP)
  -P PORT               SMB port (default 445)

Command Execution:
  Options for executing commands on the specified host

  -x COMMAND            Execute a command ex. 'ipconfig /all'

Filesystem Search:
  Options for searching/enumerating the filesystem of the specified host

  -L                    List all drives on the specified host
  -R [PATH]             Recursively list dirs, and files (no share\path lists
                        ALL shares), ex. 'C$\Finance'
  -r [PATH]             List contents of directory, default is to list root of
                        all shares, ex. -r 'C$\Documents and
  -A PATTERN            Define a file name pattern (regex) that auto downloads
                        a file on a match (requires -R or -r), not case
                        sensitive, ex '(web|global).(asax|config)'
  -q                    Disable verbose output. Only shows shares you have
                        READ/WRITE on, and suppresses file listing when
                        performing a search (-A).
  --depth DEPTH         Traverse a directory tree to a specific depth

File Content Search:
  Options for searching the content of files

  -F PATTERN            File content search, -F '[Pp]assword' (requires admin
                        access to execute commands, and powershell on victim
  --search-path PATH    Specify drive/path to search (used with -F, default
                        C:\Users), ex 'D:\HR\'

Filesystem interaction:
  Options for interacting with the specified host's filesystem

  --download PATH       Download a file from the remote system,
  --upload SRC DST      Upload a file to the remote system ex.
                        '/tmp/payload.exe C$\temp\payload.exe'
  --delete PATH TO FILE
                        Delete a remote file, ex. 'C$\temp\msf.exe'
  --skip                Skip delete file confirmation prompt


$ smbmap -u jsmith -p password1 -d workgroup -H
$ smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H
$ smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -H -x 'net group "Domain Admins" /domain'


smbmap -u admin -p password1 -d workgroup -H IP

[Day 16]-fping
[Day 18]-ncrack