Skip to content

SMB Enumeration

SMB stands for server message block. It’s a protocol for sharing resources like files, printers, in general any resource which should be retreivable or made available by the server. It primarily runs on port 445 or port 139 depending on the server . It is actually natively available in windows, so windows users don’t need to configure anything extra as such besides basic setting up. In linux however ,it is a little different. To make it work for linux, you need to install a samba server because linux natively does not use SMB protocol.

Enumerate Using following tools:

  • SMBMap – 
    SMBMap allows users to enumerate smb share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.
    smbmap -H
    smbmap -H -d -u -p
  • SMBClient – 
    smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the FTP program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.
    smbclient -L 192.168.1.102
    smbclient //192.168.1.102/tmp
  • RPCClient – 
    rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.
    We can use rpcclient to open an authenticated SMB session to a target machine by running the below command on our system where we have used a NULL Session, as we have entered a username of “”.
    rpcclient -U “” -N 192.168.1.102
    Enumdomusers
  • Nmap SMB Scripts
    Following Script attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.
    nmap –script smb-vuln* -p 139,445 192.168.1.103
    nmap -sC -p 139,445 -sV 10.0.2.30
  • Enum4linux – 
    Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
    It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net, and nmblookup.
    enum4linux -a 192.168.1.102

Checklist

  • Enumerate Hostname – nmblookup -A [ip]
  • List Shares
    • smbmap -H [ip/hostname]
    • echo exit | smbclient -L \\\\[ip]
    • nmap –script smb-enum-shares -p 139,445 [ip]
  • Check Null Sessions
    • smbmap -H [ip/hostname]
    • rpcclient -U “” -N [ip]
    • smbclient \\\\[ip]\\[share name]
  • Check for Vulnerabilities – nmap –script smb-vuln* -p 139,445 [ip]
  • Overall Scan – enum4linux -a [ip]
  • Manual Inspection
    • smbver.sh [IP] (port) [Samba]
    • check pcap

Tools

  • nmblookup – collects NetBIOS over TCP/IP client used to lookup NetBIOS names.
  • smbclient – an ftp-like client to access SMB shares
  • nmap – general scanner, with scripts
  • rpcclient – tool to execute client side MS-RPC functions
  • enum4linux – enumerates various smb functions
  • wireshark

Thanks to:

https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html