query NetBIOS names
nmblookup -A 192.168.1.102
Rpcbind can help us look for NFS-shares
list services running RPC
rpcbind -p <ip>
locate *rpc*.nse
nmap --script rpcinfo.nse <ip> -p 111
Connect with a null-session (only works for older windows servers)
rpcclient -U james 10.10.10.52
rpcclient -U "" 192.168.1.105
(press enter if asks for a password)
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumalsgroups domain
rpcclient $> lookupnames administrators
rpcclient> querydominfo
rpcclient> enumdomusers
rpcclient> queryuser john
Samba is a service to share files with other machines
smbclient -L <ip>
smbclient --list <ip>
enumerate shares and OS discovery
nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse
check smb vulnerable
nmap --script=smb-check-vulns.nse <ip> -p 445
connect to shares
smbclient -L <ip>\\ShareName -U <username> -p 445
nc <ip> 25
VRFY root
check SMTP vunerable
nmap -script smtp-commands.nse <ip>
cat /etc/exports
enumerating mountable shares
showmount -e <ip>
locate *nfs*.nse
nmap --script nfs-showmount.nse <ip>