Nmap SMB Enumeration
nmap -v -p 139,445 -oG smb.txt X.X.X.1-254
Query NetBIOS name service for valid NetBIOS names
sudo nbtscan -r X.X.X.X/24
SMB OS Discovery
nmap -v -p 139, 445 --script=smb-os-discovery <TARGET IP>
Nmap identifies that the specific SMB service is missing at least one critical patch for the MS08-0671 vulnerability.
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 <TARGET IP>
Enumerate the shares provided by a host
smbclient -L //<TARGET IP> -N
Checking for Null Sessions with Linux
smbclient //<TARGET IP>/IPC$ -N
Connect to SMB Share
smbclient \\\\<IP>\\<Sharename> -U <username>
Do an nmblookup (similar to nbtstat)
enum4linux -n <TARGET IP>
After finding if the target is using type 20 we can check the password policy
enum4linux -P <TARGET IP>
Enumerate Shares
enum4linux -S <TARGET IP>
Bruteforce Shares
enum4linux -s /usr/share/enum4linux/share-list.txt <TARGET IP>
Run all enumeration scripts
enum4linux -a <TARGET IP>