139/445 ~ SMB

https://docs.google.com/document/d/15MpM-hypaArwGk7B1n1decet3ZEylSYCSzIkDd_b1PQ/edit?tab=t.0

Key differences between ports 139 and 445:

  • Port 139: Legacy, relies on NetBIOS over TCP/IP, primarily used for older systems and version of SMB, such as SMB 1.0 or older versions.

  • Port 445: Used in modern systems. It supports direct SMB over TCP/IP, used by newer versions of SMB (e.g. SMBv2, SMBv3).

$ sudo nmap -sS -n -v <host>

PORT     STATE SERVICE
...
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
...

Metasploit

msf6 > search type:auxiliary smb 
msf6 > search type:auxiliary smb scanner

  1. auxiliary/scanner/smb/smb_enumshares

  2. auxiliary/scanner/smb/smb_enumusers

  3. auxiliary/scanner/smb/smb_version

  4. auxiliary/scanner/smb/smb_ms17_010

Example

Module: scanner/smb/smb_login, targets port 445

Password brute-force on port 445 for a single username.

msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show options
...
# default
RPORT              445                      yes       The SMB service port (TCP)
...

# Set options
msf6 auxiliary(scanner/smb/smb_login) > set rhosts [remote_host]
msf6 auxiliary(scanner/smb/smb_login) > set stop_on_success true
msf6 auxiliary(scanner/smb/smb_login) > set user_as_pass true
msf6 auxiliary(scanner/smb/smb_login) > set pass_file [path_to_password_wordlist]
msf6 auxiliary(scanner/smb/smb_login) > set smbuser [username]

TryHackMe Metasploit exploitation room, Task 2:

LogoMetasploit: ExploitationTryHackMe
Previous111/2049 ~ RPC/NFSNext143 ~ IMAP

Last updated