✔️ How to identify potential vulnerable targets
✔️ Using enum4linux
✔️ Using samrdump.py
✔️ Using nmap to exploit null sessions
✔️ Enumerating users, groups, password policies, and more
→ gaining access to systems where shares are not secure against null sessions
Null sessions allow anonymous access to network share on windows networked systems
(135,139,445)
nmap -sS -p 135,139,445 IP
enum4linux
enum4linux -n IP #similar to nbtstat (20 flag means file server service is open and shares are available)
enum4linux -P IP #password policies of the system
enum4linux -S IP #enumerate shares available on the machine
enum4linux -s /usr/share/enum4linux/share-list.txt IP #ability to brute force shares on the machine
enum4linux -a IP #run all the above with the -a option
/usr/share/doc/python-impacket-doc/examples/samrdump.py
python samrdump.py
python samrdump.py IP #gives us info from sam account: username, uid of the system machine itself
after finding user id's and password policies we can brute force more efficiently
nmap -script=smb-enum-shares IP #shows sys is vuln to null sessions
nmap -script=smb-enum-users IP # users, user id, password information
nmap -script=smb-brute IP #brute forces usernames and passwords to get users on an account