SMB Enum

Search…

SMB Enum

CheckList
Run enum4linux
Check version, null session. 
Check share drives
If access to file system do the same as ftp attacks. 
SMB Vulnerability Scan
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse 10.10.10.10
Enumerate users and shares
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
SMB Connect share
smbclient //IP_ADDRESS/share
smbclient //IP_ADDRESS/tmp
smbclient \\\\IP_ADDRESS\\ipc -U username_here
smbclient //IP_ADDRESS/ipc -U username_here  
smbclient -U '.' -L IP_ADDRESS
smbclient -U 'guest' -L IP_ADDRESS
​
Anonymous login:
smbclient //IP_ADDRESS/anonymous
​
Download file:
smbget -R smb://IP_ADDRESS/anonymous
List Shares
smbclient -L IP_ADDRESS
Enum4Linux
enum4linux -a 10.10.10.10
Enum4Linux enumerate users
enum4linux -r 10.10.10.10 | grep "Local User"
Null Connect
rpcclient -U "" 10.10.10.10
rpcclient -U '' 10.10.10.10
	srvinfo
	enumdomusers
	getdompwinfo
	querydominfo
	querydisplayinfo2
	netshareenum
	netshareenumall
	queryuser RID						<-- Give the RID of the user. 
NBTscan
nbtscan 10.10.10.x
Mount Share
mkdir /mnt/remote/
mount -t cifs //10.10.10.10/Backups /mnt/remote/
​
VHD mount:
guestmount --add /mnt/remote/path/to/file.vhd --inspector --ro /mnt/vhd -v
CrackMapExec
crackmapexec smb 10.10.10.10
crackmapexec smb 10.10.10.10 --shares
crackmapexec smb 10.10.10.10 --shares -u '' -p ''
crackmapexec smb 10.10.10.10 --pass-pol                  <-- Enum Password Policy
crackmapexec winrm 10.10.10.10 -u username -p password   <-- See if you can login 
SMBmap Connect
smbmap -H 10.10.10.10 -u '' -p ''

DNS Enum

SMTP Enum

Last modified 1yr ago

Copy link

Outline

CheckList

SMB Vulnerability Scan

Enumerate users and shares

SMB Connect share

List Shares

Enum4Linux

Enum4Linux enumerate users