SMBCLIENT

root@oco:~$ sudo apt install smbclient

#test whether the server have password misconfiguration
root@oco:~$ smbclient -h
root@oco:~$ smbclient -L {\\\\targetIP} -U {userName}

 * the -L flag is used to list available server shares on the target.
 * the -U flag is used to specify the Login identity to use.
    - misconfigured smb servers typically have administrator as the username
      with an unset password

root@oco:~$ smbclient -h
root@oco:~$ smbclient -N -L \\\\10.129.42.253
 Sharename       Type      Comment
 --------       ----      -------
 print$          Disk      Printer Drivers
 users           Disk      
 IPC$            IPC       IPC Service (gs-svcscan server (Samba, Ubuntu))

 SMB1 disabled -- no workgroup available
 
 * the -N (null session) is used for anonymous access 
    - it suppresses the input of existing users or valid passwords - password prompt
    - the -N MUST come before the -L
 * the -L is used to list available shares on the target
 * the print$ and an IPC$ are included by default in the basic setting (if configured)
 

root@oco:~$ smbclient \\\\10.129.150.91\\users -U bob%Welcome1

 * MUST list shares first prior to connecting with credentials
    - the use of back slashes can be used as well
       - //10.129.150.91//users

Enter WORKGROUP\<username>'s password: 
Anonymous login successful
Try "help" to get a list of possible commands.

root@oco:~$ smbclient //10.129.150.91/users -U bob%Welcome1
 Try "help" to get a list of possible commands.

 * MUST list shares first prior to connecting with credentials
    - smbclient needs a share path, like //IP/SHARE.
       - Without a share, it doesn't know what to connect to.

 * can use backslash instead of forward slashes
    - \\\\10.129.150.91\\users -U bob%Welcome1

smb: \> ls
 .                                   D        0  Thu Feb 25 16:42:23 2021
 ..                                  D        0  Thu Feb 25 15:05:31 2021
 bob                                 D        0  Thu Feb 25 16:42:23 2021

	4062912 blocks of size 1024. 1332480 blocks available
		
smb: \> cd bob

smb: \bob\> ls
 .                                   D        0  Thu Feb 25 16:42:23 2021
 ..                                  D        0  Thu Feb 25 16:42:23 2021
 passwords.txt                       N      156  Thu Feb 25 16:42:23 2021

	4062912 blocks of size 1024. 1332480 blocks available
		
smb: \bob\> get passwords.txt 
 getting file \bob\passwords.txt of size 156 as passwords.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

smb: \> exit

root@oco:~$ cat passwords.txt
 ...

root@oco:~$ smbclient //10.129.202.5/sambashare
 Password for [WORKGROUP\htb-ac-53539]:
 Try "help" to get a list of possible commands.

smb: \> 

 * after listing share, test whether connection to the share is possible
    - this is only possible if anonymous login is enabled or if there's a misconfiguration

smb: \> get prep-prod.txt 
 getting file \prep-prod.txt of size 71 as prep-prod.txt (8,7 KiloBytes/sec) 
 (average 8,7 KiloBytes/sec)

smb: \> !ls
 prep-prod.txt

smb: \> !cat prep-prod.txt
 [] check your code with the templates
 [] run code-assessment.py
 [] …	
 
 * the "!" followed by a cmd can be used to execute local system commands (non-target side)
    - this will not interrupt the connection.

//list local files while connected to the target
smb: \> !ls
 notes.txt  exploit.c  loot/