nmap -p 445 --script vuln <target ip>
nmap --script smb-vuln* <target ip>
nmap -p 139,445 [--script-args=unsafe=1] --script /usr/share/nmap/scripts/smb-os-discovery <target ip>
crackmapexec smb <target ip>
python enum4linux-ng.py -A <target ip>from impacket smbclient.py
python smbclient.py <username>:'<password>'@<target ip>
SMBv1
smbclient -L '//<target ip>/' -U brett --option='client min protocol=NT1'smbclient --no-pass -L '//<target ip>' -p 445smbclient --no-pass -N \\\\<target ip>\\<folder> smbclient -U "<username>" '//<target ip>/<folder>'
smbclient -U "<username>" --password="<passowrd>" \\\\<target ip>\\<folder>smbclient -m SMB2 -U <username> -L //Client/protocol negotiation failed
client max protocol = NT1 client min protocol = NT1client min protocol = CORE
client max protocol = SMB3get permissions
smbmap -H <target ip>change password (STATUS_PASSWORD_MUST_CHANGE)
smbpasswd -U <username> -r <target ip>recursively list dir
smbmap -d <domain> -H <target ip> -R <Recursively list dirs> --depth <number>
# smbmap -d test.local -H 10.10.10.10 -R shared --depth 10download file
# one file
smbmap -d <domain> -H <target ip> --download "<PATH>\<file>"
# e.g.
smbmap -d test.local -H 10.10.10.10 --download "shared\test.txt"
# all files
smbclient '\\<target ip>\<folder>' -N -c 'prompt OFF;recurse ON; mget *' --user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [--pw-nt-hash]
# e.g.
smbclient '\\10.10.11.123\dev' -N -c 'prompt OFF;recurse ON; mget *' --user=test.com/user1 --password=12345678python smbserver.py <shareName> <sharePath>