What's an SMB?

A machine that can run smbclient command A vulnerable/poorly configured SMB machine (remote or local) SMB PORT: 445

SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.SMB is a client-server, request-response protocol. The only exception to the request-response nature of SMB (that is, where the client makes requests and the server sends back responses), is when the client has requested opportunistic locks (oplocks) and the server, subsequently, has to break an already granted oplock because another client has requested a file open with a mode that's incompatible with the granted oplock. In this case, the server sends an unsolicited message to the client signalling the oplock break.Servers make file systems and other resources (printers, mailslots, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.(Samba.org)What you'll need:Check SharenamesTo view smb share names use the command:smbclient -L 192.168.25.1 -N(192.168.25.1 = ip of vulnerable smb)You'll get something like this:`WARNING: The "syslog" option is deprecatedDomain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]Sharename Type Comment--------- ---- -------arquivos DiskIPC$ IPC IPC Service (Samba Server 4.3.9-Ubuntu)Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]Server Comment--------- -------SAMBA Samba Server 4.3.9-UbuntuWorkgroup Master--------- -------COMPUTACAO SAMBA `After doing that, you'll need to pick a Sharename. For example "arquivos" or "IPC$". I highly recommend you to pick one that doesn't have the symbol "$", because it's easy to get one with permissions.In this case, I'm going to pick "arquivos" as Sharename.Finally:smbclient //192.168.25.1/arquivos -NAnd, that's pretty much it...Now, if your host is totally vulnerable, you can upload files, download files, etc.EX:` WARNING: The "syslog" option is deprecatedDomain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]smb: > ls. D 0 Tue Jul 19 09:12:48 2016.. D 0 Fri May 22 09:25:21 2015html D 0 Fri Jul 15 03:48:38 2016codeigniter D 0 Fri Jul 3 17:00:48 2015serverconfig.php A 100402 Fri Jul 15 03:48:46 2016phpmyadmin D 0 Fri May 22 16:28:47 2015khy AR 0 Tue Jul 19 09:12:48 2016cgitelnet1 D 0 Fri Jul 15 05:40:41 2016supp1.1 D 0 Tue Jul 7 19:35:09 2015index.html N 142 Tue May 10 16:30:59 2016teste.php A 21 Fri May 22 11:56:35 2015enxjdf.exe N 571074 Mon Apr 14 16:06:33 2008cherno.php N 210752 Fri Jul 15 05:13:46 2016151380148 blocks of size 1024. 132224492 blocks availablesmb: > `You can view all the smbclient commands by typing "?"`smb: > ?? allinfo altname archive backupblocksize cancel case_sensitive cd chmodchown close del dir duecho exit get getfacl geteashardlink help history iosize lcdlink lock lowercase ls lmask md mget mkdir moremput newer notify open posixposix_encrypt posix_open posix_mkdir posix_rmdir posix_unlinkprint prompt put pwd qqueue quit readlink rd recursereget rename reput rm rmdirshowacls setea setmode scopy statsymlink tar tarmode timeout translateunlock volume vuid wdel logonlistconnect showconnect tcon tdis tidlogoff .. ! `I made a Python script that does all the hard work; if you want, you can get it here