Skip to main content

SMB Enumeration (139,445)

Nmap SMB Enumeration

nmap -v -p 139,445 -oG smb.txt X.X.X.1-254

Query NetBIOS name service for valid NetBIOS names

sudo nbtscan -r X.X.X.X/24

SMB OS Discovery

nmap -v -p 139, 445 --script=smb-os-discovery <TARGET IP>

Nmap identifies that the specific SMB service is missing at least one critical patch for the MS08-0671 vulnerability.

nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 <TARGET IP>

Enumerate the shares provided by a host

smbclient -L //<TARGET IP> -N

Checking for Null Sessions with Linux

smbclient //<TARGET IP>/IPC$ -N

Connect to SMB Share

smbclient \\\\<IP>\\<Sharename> -U <username>

Do an nmblookup (similar to nbtstat)

enum4linux -n <TARGET IP>

After finding if the target is using type 20 we can check the password policy

enum4linux -P <TARGET IP>

Enumerate Shares

enum4linux -S <TARGET IP>

Bruteforce Shares

enum4linux -s /usr/share/enum4linux/share-list.txt <TARGET IP>


Run all enumeration scripts

enum4linux -a <TARGET IP>