Nmap SMB Enumeration Commands
SMB Security Mode:
nmap --script=smb2-security-mode.nse -p 445 192.168.10.0/24
Basic SMB Scan:
sudo nmap -v -p 139,445 -oG smb.txt 10.11.1.8
NetBIOS Stats and SMB OS Discovery:
sudo nmap --script nbstat.nse 10.11.1.5
sudo nmap --script smb-os-discovery 10.11.1.5
Enumerating SMB Shares:
nmap --script smb-enum-shares -p139,445 10.11.1.5
Scanning for SMB Vulnerabilities:
sudo nmap --script smb-vuln* 10.11.1.5
sudo nmap -v -p 139,445 --script=smb-vuln* --script-args=unsafe=1 10.11.1.5
Scan for SMB Shares with Credentials (if known):
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p 445 10.11.1.0/24
One-liner to Check Multiple SMB Vulnerabilities:
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10
Full SMB Scan with OS Detection:
sudo nmap -A -p 135 --open 10.11.1.0/24 -oG nmap135
Enumerating SMB Shares:
use auxiliary/scanner/smb/smb_enumshares
Lookup SID Information:
use auxiliary/scanner/smb/smb_lookupsid
Banner Grabbing
Using Netcat (nc) to Banner Grab on Port 135:
CrackMapExec (CME) for SMB
Basic Command:
crackmapexec smb 10.11.1.128
Using Credentials:
crackmapexec smb 10.11.1.128 -u 'username' -p 'password'
Brute-Force SMB Login Using a Wordlist:
crackmapexec smb 10.11.1.128 -u "DJ" -p /usr/share/dirb/wordlists/mutations_common.txt
crackmapexec smb 10.11.1.136 -u root -p /usr/share/wordlists/rockyou.txt
Null Session (No Username/Password):
crackmapexec smb 10.11.1.146 -u 'guest' -p '' # Null session
Listing Shares without Credentials:
crackmapexec smb 10.11.1.146 -u '' -p '' --shares
RPCClient (Null Session)
Connecting with Null Session:
rpcclient -U "" -N 10.11.1.5
Ridenum - SMB Brute-Force (Dictionary-based)
Bruteforce SMB Users with Dictionary:
ridenum.py 10.10.10.10 500 50000 dict.txt
Null Session
Windows Command (Net Use):
net use \\10.10.10.10\ "" /u:""
inux Command (Smbclient):
smbclient -L //10.10.10.10
Smbmap
Basic SMB Mapping Command:
smbmap -H 10.11.1.5 -P 135
Login and Access Shares:
smbmap -u "root" -p "123456" -R Bob -H 10.11.1.136 -P 445
Listing Shares:
smbclient -L 10.11.1.5
Accessing a Share (guest access):
smbclient //10.11.1.5/guest
Upload a File to Share:
smbmap -H //10.10.10.10/ --upload test.txt /SHARENAME/test.txt
Bruteforce SMB Login
Using Medusa for SMB Bruteforce:
medusa -h 10.11.1.111 -u redcliff -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
Using Nmap for SMB Bruteforce:
nmap -p445 --script smb-brute --script-args userdb=user.txt,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvv
Smbget for Downloading SMB Shares
Recursive Download from SMB Share:
smbget -rR smb://192.168.101.83/sambashare -U guest
EternalBlue Exploit (MS17-010)
Run EternalBlue Checker: Clone the repository from GitHub and run eternal_checker.py against the target:
https://github.com/3ndG4me/AutoBlue-MS17-010/blob/master/eternal_checker.py
Mounting SMB Shares
Creating a Temporary Share Folder on Linux:
sudo mkdir /tmp/share
Mount the SMB Share:
sudo mount -t cifs //10.11.1.146/SusieShare /tmp/share
Last updated