Open in app

Sign in

Write

Sign in

SMB Enumeration-Guide:

N16H7H4WK
4 min readJul 16, 2023

--

Introduction to SMB:
SMB stands for “Server Message Block,” which is a protocol used for file sharing, network communication, and resource sharing between computers in a network. It is used in Windows operating systems for accessing files and printers over a network. This service operates on either port 139 or port 445 by default.

SMB Enumeration-Covers:

SMB enumeration is a process in which we enumerate the host or target system for different information like Host-names, List shares, null sessions, checking for vulnerabilities.
1-SMB Versions:
Before diving into the enumeration or how we can penetrate SMB. It is important to know its version As, we know that SMB has evolved over time, and different versions have been released, including SMBv1, SMBv2, SMBv3, and SMBv3.1. Though each version introduces improvements in performance, security, and features as compare to the previous one.

It is important to keep SMB implementations up to date to ensure the best performance and security for network file sharing.

2-SMB-Enumeration:

It is important to get information about the service and the OS on with SMB is running. so before dig deep lets just have a look that how basic information can be gathered about SMB.

1-SMB sever can be identified using a famous and a strong tool for network scanning which is nmap. Simply use the following command to do that.nmap -p 139,445 X.X.X.X.

2-SMB/OS version can be identified using nmap. Use the following command.
nmap -p 139,445 -sV -Pn X.X.X
3-Tools such as SearchSploit can then be used to identify known SMB server vulnerabilities.
e.g searchsploit microsoft smb [Windows or SMB version]

Methods of enumeration:

Now, that you must have gathered basic information, its time to enumerate further.

1-Nmap Scripts:
Though namp is a power tools comes up with SMB scripts.
• smb-enum-shares – Enumerates SMB shares in an SMB server.
• smb-brute – Performs brute-force password auditing against SMB servers.
• smb-system-info – Collects system information through SMB/NetBios.
• smb-vuln-smb/cve* – Identifies whether the SMB server is vulnerable to any known exploits.

Use the following command to find vulnerability in SMB servers.
nmap -p 139,445 --script [script name] X.X.X.X

2-Common credentials: Try common credentials. e.g admin, administrator,root. As there are possibility that if server is not configured properly this could work.
3-Brute force credentials:
There is also an option to brute force credentials via well known tool known as hydra. you can use following command to brute force.

hydra [-L users.txt or -l user_name] [-P pass.txt or -p password] -f [-S port] ftp://X.X.X.X

4-Enumerate via Enum4linux:

Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. Enter enum4linux on terminal to see the usage of the tool. Though, for user list the flag -U is used. E.g enum4linux -U X.X.X.X.

There are few popular commands which help in enumeration process.

Try to enumerate all using following command:

enum4linux -a remote_host

Enumerate using login credentials:

enum4linux -u user_name -p password remote_host

Enumerate user list:

enum4linux -U remote_host

Getting OS information:

enum4linux -o remote_host

5-Enumerate via Smbclient:

Now ! lets talk about the most easiest way to enumerate smb 445 is via smbclient. For you have to install it but if you are using Kali linux may be its already installed. Once you are done with installation part see smbclient — help for usage of tool in detail.

Though from some commonly used flag is -L which list shares on target.
While connecting to SMB, we need to use slashes around the address. Then it will prompt us to enter root’s password, but if it is not configured properly, we can log in anonymously by simply hitting ‘Enter’ at the prompt. This is also called “Null SESSION ATTACK
AS, we know that where null sessions are allowed, it means that we can log in with a blank username and password as well. Use the -U flag to specify the username (in this case a blank string) and the -N flag to specify no password.

As, you can see in the picture above, smbclient telling about the share names. Now we will try to connect anyone from them.

Well, we succeeded doing so! we connected to workshares using null session attack. So, this is how we use smbclient. Ok! Now let me list some smbclient commands which can help you in enumeration purpose.

  1. Connect to a share:
# smbclient //server/share

2. Connect with a different username:

# smbclient //server/share --user username

3. Connect with a different workgroup:

# smbclient //server/share --workgroup domain --user username

4. Connect with a username and password:

# smbclient //server/share --user username%password

5. Download a file from the server:

# smbclient //server/share --directory path/to/directory --command "get file.txt"

6. Upload a file to the server:

# smbclient //server/share --directory path/to/directory --command "put file.txt"

7. List the shares from a server anonymously:

# smbclient --list=server --no-pass

This was all about SMB-Enumeration ! Hope it will prove helpful.

Regards: Taliya Bilal

Smbclient
Enumeration
Guide
Tools
Best

--

--

N16H7H4WK

Written by N16H7H4WK

18 Followers

Penetration Tester | Bug Bounty Hunter |

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams