SMB Enumeration

intermediate35 minWriteup

Enumerating Windows file shares and SMB services

Learning Objectives

  • Understand SMB protocol
  • Enumerate shares and users
  • Find SMB vulnerabilities
  • Use tools like smbclient and enum4linux

SMB (Server Message Block) is like Windows' chatty neighbor who shares everything. File shares, printers, authentication - SMB handles it all. And because it's so tightly integrated into Windows networks, it's often misconfigured and leaking information like a broken faucet.

Originally created by IBM in the 1980s, SMB (also called CIFS - Common Internet File System) runs on ports 139 (NetBIOS) and 445 (direct SMB). Finding these ports open on a network is like finding an unlocked door.

SMB Versions Matter

SMB v1 is full of vulnerabilities (EternalBlue, anyone?). SMB v2/v3 are more secure but can still leak information. Always note which version is running.

SMB Protocol Basics

SMB provides several services:

  • File Sharing: Access to shared folders
  • Print Services: Network printer access
  • IPC$ (Inter-Process Communication): Named pipes for RPC
  • Authentication: NTLM and Kerberos auth
bash
1606070;"># Quick SMB check with Nmap
2nmap -p 139,445 --script smb-protocols 192.168.1.10
3 
4606070;"># Check SMB version
5nmap -p 445 --script smb-protocols 192.168.1.10

Null Sessions

A null session is an anonymous connection to SMB. Think of it as walking into a building without showing ID - sometimes you can still look around. Many older Windows systems and misconfigured servers allow null sessions.

bash
1606070;"># Test null session with smbclient
2smbclient -L 606070;">//192.168.1.10 -N
3 
4606070;"># Null session with rpcclient
5rpcclient -U 606070;">#a5d6ff;">"" -N 192.168.1.10
6 
7606070;"># Test with CrackMapExec
8crackmapexec smb 192.168.1.10 -u 606070;">#a5d6ff;">'' -p ''

Null Sessions Are Goldmines

If null sessions work, you can often enumerate users, groups, shares, and more - all without credentials. Always test for null sessions first.

Share Enumeration

bash
1606070;"># List shares with smbclient
2smbclient -L 606070;">//192.168.1.10 -N
3smbclient -L 606070;">//192.168.1.10 -U username
4 
5606070;"># List shares with smbmap
6smbmap -H 192.168.1.10
7smbmap -H 192.168.1.10 -u null
8smbmap -H 192.168.1.10 -u username -p password
9 
10606070;"># Check share permissions
11smbmap -H 192.168.1.10 -u username -p password -r
12 
13606070;"># Recursive listing
14smbmap -H 192.168.1.10 -u username -p password -R
15 
16606070;"># CrackMapExec shares
17crackmapexec smb 192.168.1.10 -u username -p password --shares

Default Shares

  • C$, D$, etc.: Administrative shares (require admin)
  • ADMIN$: Remote admin (requires admin)
  • IPC$: Named pipes for RPC (often accessible)
  • NETLOGON: Login scripts (domain controllers)
  • SYSVOL: Group Policy (domain controllers)

Look for Custom Shares

While default shares are interesting, custom shares like "Backups", "IT_Share", or "Public" often contain sensitive data with weak permissions.

Accessing Shares

bash
1606070;"># Connect to share with smbclient
2smbclient 606070;">//192.168.1.10/ShareName -N
3smbclient 606070;">//192.168.1.10/ShareName -U username
4 
5606070;"># Once connected, use FTP-like commands
6smb: \> ls
7smb: \> cd directory
8smb: \> get filename
9smb: \> put localfile
10smb: \> mget *.txt
11 
12606070;"># Download entire share recursively
13smbclient 606070;">//192.168.1.10/ShareName -U username -c "recurse; prompt; mget *"
14 
15606070;"># Mount share locally
16sudo mount -t cifs 606070;">//192.168.1.10/ShareName /mnt/share -o user=username
17 
18606070;"># Anonymous mount
19sudo mount -t cifs 606070;">//192.168.1.10/ShareName /mnt/share -o guest

User & Group Enumeration

bash
1606070;"># Enum4linux - comprehensive enumeration
2enum4linux -a 192.168.1.10
3enum4linux -U 192.168.1.10  606070;"># Users
4enum4linux -G 192.168.1.10  606070;"># Groups
5enum4linux -S 192.168.1.10  606070;"># Shares
6enum4linux -P 192.168.1.10  606070;"># Password policy
7 
8606070;"># RPC client enumeration
9rpcclient -U 606070;">#a5d6ff;">"" -N 192.168.1.10
10rpcclient $> enumdomusers
11rpcclient $> enumdomgroups
12rpcclient $> queryuser 0x1f4
13rpcclient $> getdompwinfo
14rpcclient $> querydispinfo
15 
16606070;"># CrackMapExec user enumeration
17crackmapexec smb 192.168.1.10 -u username -p password --users
18crackmapexec smb 192.168.1.10 -u username -p password --groups
19 
20606070;"># Impacket lookupsid
21lookupsid.py username:password@192.168.1.10

RID Cycling

Windows assigns Relative IDs (RIDs) to users. By querying sequential RIDs, you can enumerate all users even when direct enumeration is blocked.

bash
1606070;"># RID cycling with enum4linux
2enum4linux -r 192.168.1.10
3 
4606070;"># Manual RID cycling with rpcclient
5rpcclient -U 606070;">#a5d6ff;">"" -N 192.168.1.10 -c "lookupsids S-1-5-21-domain-500"
6 
7606070;"># Impacket lookupsid (brute forces RIDs)
8lookupsid.py anonymous@192.168.1.10 20000

Well-Known RIDs

500 = Administrator, 501 = Guest, 1000+ = User accounts. Start enumeration around RID 1000 for regular users.

SMB Vulnerabilities

Checking for Vulnerabilities

bash
1606070;"># Nmap vulnerability scripts
2nmap -p 445 --script smb-vuln-* 192.168.1.10
3 
4606070;"># Specific vulnerabilities
5nmap -p 445 --script smb-vuln-ms17-010 192.168.1.10  606070;"># EternalBlue
6nmap -p 445 --script smb-vuln-ms08-067 192.168.1.10  606070;"># Conficker
7 
8606070;"># Check SMB signing
9nmap -p 445 --script smb-security-mode 192.168.1.10
10 
11606070;"># CrackMapExec module
12crackmapexec smb 192.168.1.10 -M zerologon

Notable SMB Vulnerabilities

  • MS17-010 (EternalBlue): Remote code execution, used by WannaCry
  • MS08-067: Remote code execution, exploited by Conficker
  • SMB Signing Disabled: Allows relay attacks
  • SMBv1: Multiple vulnerabilities, should be disabled
  • PrintNightmare: Printer spooler service RCE

EternalBlue Still Works

Despite being patched in 2017, MS17-010 still works on many systems. Always check for it - it provides instant SYSTEM access.

SMB Relay Attacks

If SMB signing is disabled, you can capture authentication attempts and relay them to other systems. It's like intercepting someone's badge swipe and using it at another door.

bash
1606070;"># Check if signing required
2crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt
3 
4606070;"># Responder to capture hashes
5sudo responder -I eth0 -rdwv
6 
7606070;"># ntlmrelayx for relay attacks
8sudo ntlmrelayx.py -tf targets.txt -smb2support
9 
10606070;"># Relay to get shell
11sudo ntlmrelayx.py -tf targets.txt -smb2support -c 606070;">#a5d6ff;">"whoami"

SMB Relay + IPv6

IPv6 is often enabled but unmonitored. MITM6 combined with ntlmrelayx is devastating against networks with SMB signing disabled.

Tool Summary

ToolBest For
enum4linuxComprehensive enumeration in one command
smbclientListing and accessing shares
smbmapShare permissions and recursive listing
rpcclientRPC-based enumeration (users, groups)
crackmapexecMass enumeration and exploitation
ImpacketAdvanced attacks (psexec, relay)

SMB Enumeration Methodology

SMB Enumeration Process

1
Port CheckVerify ports 139/445 are open with Nmap
2
Version CheckIdentify SMB version and OS
3
Null SessionTest anonymous/null session access
4
Share EnumList all available shares and permissions
5
User EnumEnumerate users and groups via RPC
6
Vuln ScanCheck for MS17-010, signing, SMBv1
7
Access DataDownload interesting files from accessible shares

Knowledge Check

Quick Quiz
Question 1 of 3

What is a null session in SMB?

Challenges

SMB Enumeration Challenge

Challenge
🌱 beginner

Given a Windows target, enumerate: all shares, users, groups, and password policy using at least 2 different tools.

Need a hint? (4 available)

Find the Sensitive Data

Challenge
🔥 intermediate

A company share has sensitive files buried in subdirectories. Find any files containing 'password' or 'credential' in the filename or content.

Need a hint? (4 available)

Key Takeaways

  • SMB runs on ports 139 (NetBIOS) and 445 (direct SMB)
  • Null sessions allow anonymous enumeration - always test first
  • enum4linux provides comprehensive enumeration in one command
  • Custom shares often contain sensitive data with weak permissions
  • Check for MS17-010 (EternalBlue) - it's still common
  • SMB signing disabled enables relay attacks
  • RID cycling bypasses restrictions on user enumeration