SMB Enumerate

Enumerate SMB

NMAP

ls /usr/share/nmap/scripts/ | grep SMB

Enum4linux:

enum4linux -a 172.21.0.0

SMBmap:

smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password]
smbmap -H 172.21.0.0 -d [domain] -u "" -p ""

SMBClient:

smbclient -L 172.21.0.0
smbclient //172.21.0.0/tmp

#protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

Ran into this last nite.  Go to ur /etc/samba/smb.conf file and add the following,
client min protocol = NT1. Under the global section

or

# smbclient -L <windows server name> -U <user name> -m SMB2
# smbclient -L <windows server name> -U <user name> -m SMB3

Nmap:

nmap --script smb-enum-* -p 139,445, 172.21.0.0
nmap --script smb-* -p 139,445, 172.21.0.0
/usr/share/nmap/scripts/smb-enum-services.nse /usr/share/nmap/scripts/smb-enum-sessions.nse 
/usr/share/nmap/scripts/smb-enum-shares.nse /usr/share/nmap/scripts/smb-enum-users.nse 
/usr/share/nmap/scripts/smb-flood.nse /usr/share/nmap/scripts/smb-ls.nse 
/usr/share/nmap/scripts/smb-mbenum.nse /usr/share/nmap/scripts/smb-os-discovery.nse 
/usr/share/nmap/scripts/smb-print-text.nse /usr/share/nmap/scripts/smb-protocols.nse 
/usr/share/nmap/scripts/smb-psexec.nse /usr/share/nmap/scripts/smb-security-mode.nse 
/usr/share/nmap/scripts/smb-server-stats.nse /usr/share/nmap/scripts/smb-system-info.nse
/usr/share/nmap/scripts/smb-brute.nse /usr/share/nmap/scripts/smb-enum-domains.nse 
/usr/share/nmap/scripts/smb-enum-groups.nse /usr/share/nmap/scripts/smb-enum-processes.nse

Impacket

Is also possible to use impacket in the same way than smbclient to check for anonymous login (and a lot more as browse the shares) in case of incompatible versions.


/usr/share/doc/python3-impacket/examples/smbclient.py ""@192.168.24.24

BruteForce

patator smb_login host=192.168.129.71 user=FILE0 password=FILE1 0=user 1=~/Desktop/rockyou.txt -x ignore:fgrep=STATUS_LOGON_FAILURE

Impacket SmbClient:

/usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0

RPCclient:

rpcclient -U "" -N 172.21.0.0 enumdomusers

Impacket:

python3 samdump.py SMB 172.21.0.0

CrackMapExec:

crackmapexec smb -L 
crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth
crackmapexec 172.21.0.0 -u Administrator -H [hash] --share
crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz

smb-mbenum

smb-mbenum script will use udp 139

List Nmap SMB Scripts

!ls /usr/share/nmap/scripts/ | grep smb

smb2-capabilities.nse,smb2-security-mode.nse,smb2-time.nse,smb2-vuln-uptime.nse,smb-double-pulsar-backdoor.nse,smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-services.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-flood.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-protocols.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse

PreviousSMB Exploit NextSend and Execute

Last updated 4 years ago

Was this helpful?