Nmap scan

nmap -p 139,445,137 "$ip" -sVC --script "safe and smb* and not brute" -oN scan/smb_scan_"$ip".txt

Full enumeration

enum4linux -a "$ip"
enum4linux-ng "$ip"
samrdump.py "$ip"
smbmap -H "$ip"

SMB session check (null, guest, random user)

enum4linux -a -u "" -p "" "$ip" && enum4linux -a -u "guest" -p "" "$ip" && enum4linux -a -u "randUser" -p "" "$ip"

enum4linux-ng "$ip" -R 2000 -G -u "" -p "" && enum4linux-ng "$ip" -R 2000 -G -u "randUser" -p "" && enum4linux-ng "$ip" -R 2000 -G -u "guest" -p ""

Detect smb server version

MSF module - smb_version OR smb_version.sh

netexec smb "$ip" -u anonymous -p ""

netexec smb "$ip" -u guest -p ""
smbclient -U 'guest%' -L //"$ip"

netexec smb "$ip" -u "" -p ""
smbclient -U '%' -L //"$ip"

Enum groups

nxc smb "$ip" -u <username> -p <password> --groups
nxc smb "$ip" --loggedon-users -u <username> -p <password> --groups
  
rpcclient -U "" -N "$ip"
>> enumdomgroups

Null user

smbclient -N -L //"$ip"

List shares recursively

smbmap -R -u "" -p "" -H "$ip"

Connect with a share

smbclient //"$ip"/notes

List shares

smbclient -L "$ip" -N

List share with creds

smbclient -U 'admin%' -L //"$ip"/C$

SMB2 session check

smbclient -L \\\\"$ip"\\ -m SMB2

List shares

smbclient -L //"$ip" -N -c 'recurse;ls'

List recursively

smbmap -H "$ip" -R Folder

SMB null session connect

rpcclient -U "" -P "" "$ip"
rpcclient --user '%' "$ip"

○ Enum users (access required)
	enumdomusers
	queryuser <rid>
	
○ Group information
	querygroup <rid>

Username enum (RID)

ldap_query=$(echo $domain | awk -F. "{print "DC="$1",DC="$2});ldapsearch -x -b "$ldap_query" -s sub "(&(objectclass=user))" -H  ldap://"$ip" | grep -i samaccountname: | cut -f 2 -d " "

impacket-lookupsid -no-pass anonymous@"$target" 5000

nxc smb "$ip" -u '' -p '' --users

impacket-lookupsid -no-pass "$domain"

OR

for i in $(seq 500 1100);do rpcclient -N -U "" "$ip" -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

MSF module - smb_lookupsid

nxc smb "$ip" -u guest -p "" --rid-brute

ridenum "$domain" 500 50000

impacket-lookupsid -no-pass "guest@$domain" 10000 | grep 'SidTypeUser' | grep -v -e "$domain" | awk -F'\\' '{print $2}' | sed 's/ (SidTypeUser)//'

rpcclient -U "" -N "$ip"
$>> enumdomusers

Alternative tools

○ Enum4linux
	enum4linux "$ip" -A

○ Samrdump.py
	samrdump.py "$ip"

○ smbmap
	smbmap -H "$ip"

○ CrackMapExec
	nxc smb "$ip" --shares -u '' -p ''

Tools to connect with smb machine

nxc
psexec (metasploit)
winexec
psexec.py
smbexec.py
wmiexec.py
RDP connection

Download smb file/dir

smbclient //"$ip"/users
>mask ""
>prompt
>recurse
>mget *
		OR
smb: > mget *

Previousdefault-credentials NextSMB share spider

Last updated 1 day ago

hashtagFull enumeration

hashtagSMB session check (null, guest, random user)

hashtagDetect smb server version

hashtagRandom User login check

hashtagGuest login check

hashtagNull/anonymous User login check

hashtagEnum groups

hashtagSMB share enum

hashtagSMB null session connect

hashtagUsername enum (RID)

hashtagAlternative tools

hashtagTools to connect with smb machine

hashtagDownload smb file/dir

Full enumeration

SMB session check (null, guest, random user)

Detect smb server version

Random User login check

Guest login check

Null/anonymous User login check