SMB and RPC

RPCCLIENT

rpcclient -U "" -N [IP]

rpcclient -U "Username" -N 10.10.11.42 

• When connecting via rpcclient

Query	Description
srvinfo	Server information.
enumdomains	Enumerate all domains that are deployed in the network.
querydominfo	Provides domain, server, and user information of deployed domains.
netshareenumall	Enumerates all available shares.
netsharegetinfo <share>	Provides information about a specific share.
enumdomusers	Enumerates all domain users.
queryuser <RID>	Provides information about a specific user.
enumdomgroups	give groups
lookupnames <name>	give SID
querydispinfo	This will extend the amount of information about the users and their descriptions.

• To add to the group

net rpc group addmem "Target Group" "Target User"  -U "Domain.local"/"Controlled USER"%'Password' -S "Domain Cintroler IP"

• FOrceChangePasssword

net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

SMBMAP

smbmap -H [IP] -u [Username] -p 'password'

• To recursively enum directories

smbmap -H [IP] -u [Username] -p 'password' -r 'DIRECTORY NAME' --dir-only

• To upload files

smbmap -u <user> -p "<password>" -d . -H [IP] --upload '/path/to/file' '/path/to/upload

SMBCLIENT

smbclient -L [IP] -N

smbclient -N -L \\\\IP

smbclient -N -L \\\\IP\\Share

smbclient //IP/SHARE NAME

smbclient -U '<USERNAME>%<PASSWORD>' //IP/SHARE NAME
smbclient -U '<USERNAME>%<PASSWORD>' -L IP

for downloading the whole directory (smbmap or smbclient)

mask "" recurse ON prompt OFF mget *

Netexec/ crackmapexec

netexec smb 172.16.1.0/24 -u anonymous -p ''  --shares

#domain auth
netexec smb 192.168.110.52-56 -u James -H "aad3b435b51404eeaad3b435b51404ee:8af1903d3c80d3552a84b6ba296db2ea" -d painters.htb

#local auth
netexec smb 192.168.110.52-56 -u James -H "aad3b435b51404eeaad3b435b51404ee:8af1903d3c80d3552a84b6ba296db2ea" -d .

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --shares

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --users

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute

#To print sidtypuser names
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep -i 'user' | sed -E 's/.*HAZE\\([^ ]+).*/\1/' > username.txt

for proto in {ldap,smb,mssql,winrm}; do nxc $proto dc01.manager.htb -d manager.htb -u operator -p  'operator'; echo; done

Impacket-smbclient

• If we have TGT

impacket-smbclient -k -no-pass 'voleur.htb/ryan.naylor@dc.voleur.htb'