# List all NetExec modulesnetexecsmb172.16.8.139-L# Check SMB versionnetexecsmb172.16.8.139# Check SMB Service on subnetnetexecsmb172.16.8.139/24# Check null authsmbclient-L192.168.1.2--no-passsmbclient//192.168.1.2/public--no-pass
Enumerate Null Sessions
Check if Null Session, also known as Anonymous session, is enabled on the network. Can be very useful on a Domain Controller to enumerate users, groups, password policies, etc.
Using a random username and password you can check if the target accepts guest logon. If so, it means that either the domain guest account or the local guest account of the server you're targetting is enabled.
# Check using valid accountnetexecsmb172.16.8.139-uasuka-p'p@ssw0rd'--shares# check with local account (not domain account)netexecsmb172.16.8.139-uasuka-p'p@ssw0rd'--shares--local-auth
Username enumeration on Workstation using valid credentials
....................SMB172.16.8.139445EVANGELION-PC [+] Dumping password info for domain: EVANGELIONSMB172.16.8.139445EVANGELION-PCMinimumpasswordlength:7SMB172.16.8.139445EVANGELION-PCPasswordhistorylength:24SMB172.16.8.139445EVANGELION-PCMaximumpasswordage:41days23hours53minutesSMB172.16.8.139445EVANGELION-PCSMB172.16.8.139445EVANGELION-PCPasswordComplexityFlags:000000SMB172.16.8.139445EVANGELION-PCDomainRefusePasswordChange:0SMB172.16.8.139445EVANGELION-PCDomainPasswordStoreCleartext:0SMB172.16.8.139445EVANGELION-PCDomainPasswordLockoutAdmins:0SMB172.16.8.139445EVANGELION-PCDomainPasswordNoClearChange:0SMB172.16.8.139445EVANGELION-PCDomainPasswordNoAnonChange:0SMB172.16.8.139445EVANGELION-PCDomainPasswordComplex:0SMB172.16.8.139445EVANGELION-PCSMB172.16.8.139445EVANGELION-PCMinimumpasswordage:1day4minutesSMB172.16.8.139445EVANGELION-PCResetAccountLockoutCounter:30minutesSMB172.16.8.139445EVANGELION-PCLockedAccountDuration:30minutesSMB172.16.8.139445EVANGELION-PCAccountLockoutThreshold:NoneSMB172.16.8.139445EVANGELION-PCForcedLogoffTime:NotSet
# no passsmbclient//192.168.1.2/public--no-pass# with credssmbclient//172.16.8.139/secrets-folder-U'username'%'p@ssw0rd'-p445# download all files from sharessmbclient'//10.10.11.174/support-tools'-N-c'prompt OFF;recurse ON;mget *'
StartingNmap7.93 ( https://nmap.org ) at 2024-03-24 23:50 WIBNmapscanreportfor10.10.100.206 (10.10.100.206)Hostisup (0.38s latency).PORTSTATESERVICE139/tcpopennetbios-ssn445/tcpopenmicrosoft-dsHostscriptresults:|_smb-vuln-ms10-061:NT_STATUS_ACCESS_DENIED|_smb-vuln-ms10-054:false|smb-vuln-ms17-010:|VULNERABLE:|RemoteCodeExecutionvulnerabilityinMicrosoftSMBv1servers (ms17-010)|State:VULNERABLE|IDs:CVE:CVE-2017-0143|Riskfactor:HIGH|AcriticalremotecodeexecutionvulnerabilityexistsinMicrosoftSMBv1|servers (ms17-010).||Disclosuredate:2017-03-14|References:|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143|https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|_https://technet.microsoft.com/en-us/library/security/ms17-010.aspxNmapdone:1IPaddress (1 hostup) scanned in 13.31 seconds
netexecsmb10.10.100.206-u''-p''-Mms17-010SMB10.10.100.206445JON-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:JON-PC) (domain:Jon-PC) (signing:False) (SMBv1:True)SMB10.10.100.206445JON-PC [+] Jon-PC\: MS17-010 [+] 10.10.100.206 is likely VULNERABLE to MS17-010! (Windows7Professional7601ServicePack1)