SMB (139,445) Enum
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Version & Vuln Scan
- Version and basic info enumeration
Sometimes nmap doesn’t show the version of Samba in the remote host, if this happens, a good way to know which version the remote host is running, is to capture traffic with wireshark against the remote host on 445/139 and in parallel run an smbclient -L, do a follow tcp stream and with this we might see which version the server is running.
sudo ngrep -i -d <INTERFACE> 's.?a.?m.?b.?a.*[[:digit:]]' port 139
smbclient -L <IP>
To enumerate users, shares and others:
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse {Victim IP}
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-services.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse -p445 {Victim IP}
- Vulnerability Identification
To identify common vulnerabilities with nmap:
nmap --script smb-vuln* -Pn -p139,445 {IP}
nmap --script smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse,smb-vuln-webexec.nse -p445 {Victim IP}
nmap -p139,445 --script "smb-vuln-* and not(smb-vuln-regsvc-dos)" --script-args smb-vuln-cve-2017-7494.check-version,unsafe=1 <IP>
nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
To check MS17-010 - EternalBlue:
nxc smb {IP} -M ms17-010
To exploit it use https://github.com/3ndG4me/AutoBlue-MS17-010 or MSF Module.
MS08: https://github.com/andyacer/ms08_067.git
CVE-2017-7494: https://github.com/joxeankoret/CVE-2017-7494
Enumeration w/ No Credentials
- Network Scanning
netexec smb {ip-range}
- Guest Access on SMB Shares and Null/Guest Logins
enum4linux -a u "" -p "" <dc-ip> && enum4linux -a -u "guest" -p "" <dc-ip>
smbmap -u "" -p "" -P 445 -H <dc-ip> && smbmap -u "guest" -p "" -P 445 -H <dc-ip>
smbclient -U '%' -L //<dc-ip> && smbclient -U 'guest%' -L //<dc-ip>
nxc smb <ip> -u '' -p ''
nxc smb <ip> -u 'a' -p ''
nxc smb {IP} --pass-pol -u "" -p ""
nxc smb {IP} --pass-pol -u "guest" -p ""
- User Enumeration
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
enum4linux -U <dc-ip> | grep 'user'
nxc smb <ip> --users
- Arch Identification
getArch.py -target {IP}
Enumeration w/ Credentials
- Shares Access
nxc smb {IP} -u {Username} -p {Password} --shares
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
smbclient //{Ip}/{folder} -U {username} --password {password}
impacket-smbclient {user}@{IP}
# who
- Sessions Enumeration
crackmapexec smb {IP/24} -u {Username} -p {password} --sessions
- User Enumeration
nxc smb {IP} -u {Username} -p {Password} --users
nxc smb {IP} -u {Username} -p {Password} --active-users
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
- Authenticated Vuln Identification
To check PrintNightmare (CVE-2021-34527), Petitpoam and others with NetExec:
nxc smb <target(s)> -u Administrator -p 'P@ssw0rd' -M spooler -M printnightmare -M shadowcoerce -M petitpotam
To exploit PrintNightmare: https://github.com/m8sec/CVE-2021-34527
Last updated