> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/password-reuse/trick-0313.md).

# Credential Reuse from SMB Enum on Web

***

Credentials discovered during enumeration of one service can frequently be reused on others running on the same target. Credential reuse is a technique where an attacker obtains a set of credentials for one service and attempts to use those same credentials to authenticate to other services. This technique is effective because users often reuse passwords across multiple accounts and services, making credential reuse a significant security risk. For instance, if usernames like `milesdyson` and a list of potential passwords (e.g., from `log1.txt` found on an anonymous SMB share) are obtained, these should be tested against all other identified services.

Enumerating SMB shares can reveal valuable information. SMB shares enumeration is the process of identifying network shares and their associated permissions on a target system. To list available shares anonymously on a target IP, commands like the following can be used:

```bash
smbclient -L //target_ip
```

This command attempts to list accessible shares without providing specific credentials. If anonymous access is permitted to a share (e.g., 'anonymous'), one can connect to it and list files:

```bash
smbclient //target_ip/anonymous
ls
```

Once connected, you can list files using the `ls` command. If a file like `log1.txt` is found, it can be downloaded using:

```bash
get log1.txt
```

Additionally, user enumeration tools can help identify potential usernames. `enum4linux` is a wrapper around the Samba tools `smbclient`, `rpclient`, `net`, and `nmblookup`. It attempts to enumerate various information from a Windows or Samba host, including usernames, group and member lists, share names, password policies, and LSA information.

To enumerate users specifically, the `-U` flag is used:

```bash
enum4linux -U target_ip
```

Other useful enumeration options with `enum4linux` include:

* `-S <target_ip>`: Enumerate shares.
* `-G <target_ip>`: Enumerate groups.
* `-P <target_ip>`: Enumerate password policy.
* `-M <target_ip>`: Enumerate machines.
* `-a <target_ip>`: Perform all simple enumeration tests.

Once usernames like `milesdyson` are identified (potentially via `enum4linux`) and password lists (e.g., from `log1.txt` obtained from an SMB share) are obtained, these should be tested against all other identified services.

Specifically, if a web application like `/squirrelmail` is running, attempt to log in using the `milesdyson` username and iterating through the passwords found in `log1.txt`. This capitalizes on the common user practice of reusing passwords across different accounts and services. Attackers can leverage credentials found via one service, such as those discovered during SMB enumeration, to gain access to unrelated services running on the same target.
