Enumerating SMB Services

The SMB (NetBIOS32) service

  • Listens to TCP ports 139 and 445 and several UDP ports.

  • SMB1 - Windows 2000, XP, and Windows 2003.

  • SMB2 - Windows Vista SP1 and Windows 2008

  • SMB2.1 - Windows 7 and Windows 2008 R2

  • SMB3 - Windows 8 and Windows 2012.

Map share using the net use command

net use s: \\TARGET_IP\movies
net use s: \\TARGET_IP\movies /user HTG Pa$$word
net use \\TARGET_IP\ipc$ "" /user:""  (Anonymous)
net use s: TARGET_IP\share password /user:domain\janedoe /savecred /p:no
Example: net use s: "\\Bob Share" bobiscrazy /user:bob

SMB Null Session

SMB Null Session Enumeration

rpcclient -U "" TARGET_IP (Enter empty password)
  • Some useful commands for rpcclient:

    • rvinfo (Identify de OS Version)

    • netshareenumall

    • lsaquery

    • enumprivs

    • enumdomusers (List of user on the server)

    • querydominfo (Get the policy for password storage)

Using nbtscan

  • Using nbtscan to scan a host range for SMB and credentials
nbtscan -r TARGET_IP/24
nbtscan TARGET_IP
  • Discover Windows/Samba servers on subnet, finds Windows MAC addresses, netbios name, and discover client workgroup/domain:
  • Displays the nbtscan version:
nbtscan -v
  • This shows the full NBT resource record responses for each machine scanned, not a one-line summary, use these options when scanning a single host:
nbtscan -f target(s)
  • Sends output to a file:
nbtscan -O file-name.txt target(s)
  • Generate an HTTP header:
nbtscan -H
  • Generate Perl hashref output, which can be loaded into an existing program for easier processing, much easier than parsing text output:
nbtscan -P
  • Enable verbose mode:
nbtscan -V
  • Turns off this inverse name lookup, for hanging resolution:
nbtscan -n
  • This allows the specification of a UDP port number to be used as the source in sending a query:
nbtscan -p PORT target(s)
  • Include the MAC (aka Ethernet) addresses in the response, which is already implied by the -f option:
nbtscan -m
  • Discovers IP, MAC Address, and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site:
netdiscover -r
  • Another SMB enumerator:
enum4linux -a TARGET_IP