[Service/Vulnerability Name] (e.g., SMB, SQLi)¶
1. Basic Description¶
What is it? Brief explanation (e.g., "Server Message Block is a network file sharing protocol"). Criticality: High/Medium/Low
2. Ports & Default Configuration¶
- Default Ports:
139,445(TCP),137,138(UDP) - Service Name:
microsoft-ds,netbios-ssn - Interesting Config Files:
/etc/samba/smb.conf
3. Enumeration (The "Safe" Phase)¶
Don't attack yet. Understand what you are looking at.
Nmap Scans¶
# Basic quick scan
nmap -p 139,445 --script smb-os-discovery <IP>
# Full Enum (Aggressive)
nmap -p 139,445 --script smb-vuln* <IP>
Dedicated Tools (Gobuster/Hydra/Enum4linux)¶
4. Attack Vectors (Kill Chain)¶
A. Anonymous Login¶
Check if we can login without creds.
B. Known Vulnerabilities (CVEs)¶
- EternalBlue (MS17-010): Windows 7/Server 2008.
- SMBGhost (CVE-2020-0796): Windows 10 v1903/1909.
C. Brute Force (Last Resort!)¶
5. One-Liners (Quick Wins)¶
Copy-Paste ready commands for the heat of the moment.
- Mount Share:
mount -t cifs //<IP>/share /mnt/share -o user=guest,password= - Null Session Test:
rpcclient -U "" <IP> - Download File:
smbget -R smb://<IP>/share
6. Post-Exploitation / Pivoting¶
- If you have credentials, what's next? (PsExec, dump hashes).
- Link to: [[Lateral_Movement]]
7. Troubleshooting¶
Problem: Connection Refused or Timeout. Solution: Check firewall, try a different port (is it on 4455?), ensure you are using the correct protocol version (
client min protocol=NT1).
Tags: #service #enumeration #attack #windows #linux References: - HackTricks - SMB - PayloadAllTheThings - OSCP Official Guide