SMB Enumeration

Check for anonymous access to windows shares
smbclient -L

-L = This option allows you to look at what services are available on a server.

Example

smbclient -L //10.10.10.100

Enter WORKGROUP\root's password:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$                    Disk      Default share
        IPC$                 IPC       Remote IPC
        NETLOGON    Disk      Logon server share
        Replication      Disk     
        SYSVOL           Disk      Logon server share
        Users               Disk     

Another way that shows the permissions is using smbmap

 smbmap -H 10.10.10.100

 [+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.100...
[+] IP: 10.10.10.100:445        Name: 10.10.10.100
        Disk                                                 Permissions
        ----                                                    -----------
        ADMIN$                                          NO ACCESS
        C$                                                    NO ACCESS
        IPC$                                                NO ACCESS
        NETLOGON                                    NO ACCESS
        Replication                                      READ ONLY
        SYSVOL                                          NO ACCESS
        Users                                              NO ACCESS

In this example we can see there are READ ONLY Permissions on one share called 'Replication'

You could put this in a quick bash script across the domain like so.

for i in {1..254}; do smbmap -H 10.10.10.$i -q; done | grep 'READ' -B 3


Next we can browse this directory called 'Replication' by using the -r parameter


 smbmap -H 10.10.10.100 -r 'Replication'

[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.100...
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                    
        Disk                                                    Permissions
        ----                                                    -----------
        Replication                                             READ ONLY
        ./                                               
        dr--r--r--                0 Sat Jul 21 11:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 11:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 11:37:44 2018    active.htb


As we can see we can view a new folder called "active.htb"

Continue using this method to browse the OS.

If we need to specify a username and Password and or a domain we can use

-u
-p
-d

If we find something interesting we can mount the directory locally on our box.

mount -t cifs //IP/SHARE /mnt

=======================================================================

We can alternatively use nulllinux a similar tool with slightly nicer output

git clone https://github.com/m8r0wn/nullinux.git

sudo ./nullinux.py -a -t 40 -u SVC_TGS -p GPPstillStandingStrong2k18 10.10.10.100

    Starting nullinux v5.3.1 | 10-12-2018 12:06



[*] Enumerating Shares for: 10.10.10.100
        Shares                     Comments
   -------------------------------------------
    \\10.10.10.100\ADMIN$          Remote Admin
    \\10.10.10.100\C$              Default share
    \\10.10.10.100\IPC$
    \\10.10.10.100\NETLOGON        Logon server share
    \\10.10.10.100\Replication   
    \\10.10.10.100\SYSVOL          Logon server share
    \\10.10.10.100\Users         

   [*] Enumerating: \\10.10.10.100\NETLOGON
       .                                   D        0  Wed Jul 18 19:48:57 2018
       ..                                  D        0  Wed Jul 18 19:48:57 2018

   [*] Enumerating: \\10.10.10.100\Replication
       .                                   D        0  Sat Jul 21 11:37:44 2018
       ..                                  D        0  Sat Jul 21 11:37:44 2018
       active.htb                          D        0  Sat Jul 21 11:37:44 2018

   [*] Enumerating: \\10.10.10.100\SYSVOL
       .                                   D        0  Wed Jul 18 19:48:57 2018
       ..                                  D        0  Wed Jul 18 19:48:57 2018
       active.htb                          D        0  Wed Jul 18 19:48:57 2018

   [*] Enumerating: \\10.10.10.100\Users
       .                                  DR        0  Sat Jul 21 15:39:20 2018
       ..                                 DR        0  Sat Jul 21 15:39:20 2018
       Administrator                       D        0  Mon Jul 16 11:14:21 2018
       All Users                         DHS        0  Tue Jul 14 06:06:44 2009
       Default                           DHR        0  Tue Jul 14 07:38:21 2009
       Default User                      DHS        0  Tue Jul 14 06:06:44 2009
       desktop.ini                       AHS      174  Tue Jul 14 05:57:55 2009
       Public                             DR        0  Tue Jul 14 05:57:55 2009
       SVC_TGS                             D        0  Sat Jul 21 16:16:32 2018

[*] Enumerating Domain Information for: 10.10.10.100
[+] Domain Name: ACTIVE
[+] Domain SID: S-1-5-21-405608879-3187717380-1996298813

[*] Enumerating querydispinfo for: 10.10.10.100
    Administrator
    Guest
    krbtgt
    SVC_TGS

[*] Enumerating enumdomusers for: 10.10.10.100
    Administrator
    Guest
    krbtgt
    SVC_TGS

[*] Enumerating LSA for: 10.10.10.100

[*] Performing RID Cycling for: 10.10.10.100
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
    krbtgt
    Guest
    Administrator
    Domain Users                        (Network/LocalGroup)
    Domain Admins                       (Network/LocalGroup)
    Domain Computers                    (Network/LocalGroup)
    Enterprise Admins                   (Network/LocalGroup)
    Domain Guests                       (Network/LocalGroup)
    Domain Controllers                  (Network/LocalGroup)
    Schema Admins                       (Network/LocalGroup)
    Cert Publishers                     (Network/LocalGroup)
    Read-only Domain Controllers        (Network/LocalGroup)
    Group Policy Creator Owners         (Network/LocalGroup)

[*] Testing 10.10.10.100 for Known Users
    Administrator
    Guest
    krbtgt

[*] Enumerating Group Memberships for: 10.10.10.100
[+] Group: Enterprise Read-only Domain Controllers
[+] Group: Domain Admins
    Administrator
[+] Group: Domain Users
    Administrator
    krbtgt
    SVC_TGS
[+] Group: Domain Guests
    Guest
[+] Group: Domain Computers
[+] Group: Domain Controllers
    DC$
[+] Group: Schema Admins
    Administrator
[+] Group: Enterprise Admins
    Administrator
[+] Group: Group Policy Creator Owners
    Administrator
[+] Group: Read-only Domain Controllers
[+] Group: DnsUpdateProxy

[+] 5 USER(s) identified in 11 GROUP(s)
[*] Writing users to file: ./nullinux_users.txt

===============================================
impacket-samrdump -dc-ip 10.10.10.100 ACTIVE/SVC_TGS:GPPstillStandingStrong2k18@10.10.10.100 445/SMB
Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation

[*] Retrieving endpoint list from 10.10.10.100
[*] Trying protocol 445/SMB...
Found domain(s):
 . ACTIVE
 . Builtin
[*] Looking up users in domain ACTIVE
Found user: Administrator, uid = 500
Found user: Guest, uid = 501
Found user: krbtgt, uid = 502
Found user: SVC_TGS, uid = 1103
Administrator (500)/FullName:
Administrator (500)/UserComment:
Administrator (500)/PrimaryGroupId: 513
Administrator (500)/BadPasswordCount: 0
Administrator (500)/LogonCount: 33
Guest (501)/FullName:
Guest (501)/UserComment:
Guest (501)/PrimaryGroupId: 514
Guest (501)/BadPasswordCount: 0
Guest (501)/LogonCount: 0
krbtgt (502)/FullName:
krbtgt (502)/UserComment:
krbtgt (502)/PrimaryGroupId: 513
krbtgt (502)/BadPasswordCount: 0
krbtgt (502)/LogonCount: 0
SVC_TGS (1103)/FullName: SVC_TGS
SVC_TGS (1103)/UserComment:
SVC_TGS (1103)/PrimaryGroupId: 513
SVC_TGS (1103)/BadPasswordCount: 0
SVC_TGS (1103)/LogonCount: 6
[*] Received 4 entries.