Samba (smb)

smbclient

Remember to escape the double \ before the target IP/Domain. Usually looks like \\\\10.10.10.10

The rest of the path also need escaping: \\\\10.10.10.10\\users

Flag

Description

-L

retrieve a list of available shares

-N

suppresses the password prompt (null session)

-U

Specify user (can be put after address)

Order matters, for example: -L -N will ask for the password still while -N -L will work fine

rpcclient

The Remote Procedure Call (RPC) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures.

man page

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

$ rpcclient -U "" 10.129.14.128

Enter WORKGROUP\'s password:
rpcclient $> srvinfo
rpcclient $> enumdomains
rpcclient $> querydominfo
rpcclient $> netshareenumall
rpcclient $> netsharegetinfo <share-name>

rpcclient $> enumdomusers
rpcclient $> queryuser <rid>
rpcclient $> querygroup <group-rid>

Example of Bash command to enumerate every user based on rid

for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Other tools that automate this: Samrdump, SMBMap or CrackMapExec

Worth mentioning but more verbose: enum4linux-ng

PreviousGoogle Dorks NextNFS

Last updated 10 months ago