Windows recon: nmap host discovery:
nmap -Pn 10.10.10.50 # -Pn force nmap to scan ports even if the host seems to be down.
nmap -Pn -p443 10.10.10.50 # -p force nmap to scan ports even if filtered is in place.
nmap -Pn -sV -p80 10.10.10.50 # -sV force nmap to discovery the service versioning grabbing the banner.
nmap 10.10.10.0/20 --open # -open force nmap to only show open (or possibly open) ports
useful net use commands:
net use * /delete
net use Z: \\10.10.10.50\C$ valid_passwd /user:valid_usernameFingerprint the SMB service running the nmap script to enumerate the windows target machine:
nmap -p445 --script smb-protocols 10.10.10.50 #identify SMB protocol dialects;
nmap -p445 --script smb-security-mode 10.10.10.50 #find SMB security level information;
nmap -p445 --script smb-enum-sessions 10.10.10.50 #enumerate active sessions, shares, windows users, domains, services, etc.;
nmap -p445 --script smb-enum-shares 10.10.10.50 #enumarate all available shares;
enumerating using valid credential:
nmap -p445 --script smb-enum-sessions --script-args smbusername=valid_username,smbpassword=valid_passwd 10.10.10.50
enumarate all available shares:
nmap -p445 --script smb-enum-shares --script-args smbusername=valid_username,smbpassword=valid_passwd 10.10.10.50
enumarate users:
nmap -p445 --script smb-enum-users --script-args smbusername=valid_username,smbpassword=valid_passwd 10.10.10.50
enumarate available domains:
nmap -p445 --script smb-enum-domains --script-args smbusername=valid_username,smbpassword=valid_passwd 10.10.10.50
enumarate user groups:
nmap -p445 --script smb-enum-groups --script-args smbusername=valid_username,smbpassword=valid_passwd 10.10.10.50
enumarate services:
nmap -p445 --script smb-enum-services --script-args smbusername=valid_username,smbpassword=valid_passwd 10.10.10.50
enumarate all shared folders and drives and run the ls command in every shares:
nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=valid_username,smbpassword=valid_passwd 10.10.10.50
get server stats:
nmap -p445 --script smb-server-stats --script-args smbusername=valid_username,smbpassword=valid_passwd 10.10.10.50