eJPT Junior Penetration Tester
ShopAuthorPatreonHTB Pro Labs
eJPT Junior Penetration Tester
eJPT Junior Penetration Tester
  • 🍕eJPT Study Notes
  • Author
  • eCPPTv2 Study Notes
  • INE eJPT Exam
    • Description
    • eJPT Certification
  • RFS Tips
    • Before the Exam
    • Prepare your Setup
    • Questions?
    • Start Hacking
  • Methodology
    • 1️⃣To Scan a Network
    • 2️⃣To Attack a Linux Machine
    • 3️⃣To Attack a Windows Machine
    • 4️⃣Pivoting Methodology
    • 5️⃣Linux Post Exploitation
    • 6️⃣Windows Post Exploitation
  • Community
    • LinkedIn
    • Discord
  • Networking
    • 🟢OSI Layers
    • 🟢Protocols
    • 🟢Subnetting
    • 🟢Routing
    • Pivoting
  • Network Protocols
    • 🟢FTP 21
    • 🟢SSH 22
    • ✅HTTP 80
    • 🟢NetBIOS 139
    • 🟠SMB 445
    • MySQL 3306
    • 🟢RDP 3389
  • Web Attacks
    • XSS
    • SQLi
    • Path Traversal
    • Command Injection
    • LFI - Local File Inclusion
    • LFI cheatsheet - HTB
  • Web CMS Attacks
    • Wordpress
    • Joomla
    • TomCat
  • Exploits
    • Search Exploits
    • Linux
    • Windows
  • Tools
    • dirb
    • 🟢Gobuster
    • Nmap
    • Netcat
    • Burpsuite
    • 🟢SQLMap
    • 🟢Metasploit
    • Hydra
    • 🟢John the Ripper
    • Hashcat
  • Web Tools
    • 😍RevShells
    • MD5 Crack
    • CyberChef
    • SecLists
  • TryHackMe Rooms
    • DogCat
    • Archangel
    • OWASP Juice Shop
  • Hack The Box Rooms
    • Page 2
  • Create Your Own Lab
    • Page 3
  • Other Resources
    • Page 1
  • TCM Security Courses
    • Page 4
Powered by GitBook
On this page
  • Read the Full Hacking SMB Guide
  • Nmap NSE scripts
  • Metasploit SMB Enumeration Scripts
  • Enumerate SMB Version
  • Enumerate SMB Shares
  • Enumerate SMB Users
  • Youtube Nmap - SMB Enumeration

Was this helpful?

  1. Network Protocols

SMB 445

PreviousNetBIOS 139NextMySQL 3306

Last updated 2 years ago

Was this helpful?

Read the Full Hacking SMB Guide

Nmap NSE scripts

┌──(rfs㉿PopLabSec)-[~]
└─$ ls -la /usr/share/nmap/scripts | grep -e "smb"

smb2-capabilities.nse
smb2-security-mode.nse
smb2-time.nse
smb2-vuln-uptime.nse
smb-brute.nse
smb-double-pulsar-backdoor.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-services.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-ls.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-print-text.nse
smb-protocols.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smb-vuln-conficker.nse
smb-vuln-cve2009-3103.nse
smb-vuln-cve-2017-7494.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-ms17-010.nse
smb-vuln-regsvc-dos.nse
smb-vuln-webexec.nse
smb-webexec-exploit.nse

Metasploit SMB Enumeration Scripts

// Some code

Enumerate SMB Version

┌──(rfs㉿PopLabSec)-[~/TryHackMe/THM_NerdHerd]
└─$ nmap -p 445 --script smb-protocols nerdherd.thm
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-22 16:18 EDT
Nmap scan report for nerdherd.thm (10.10.180.123)
Host is up (0.16s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-protocols: 
|   dialects: 
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.0.2
|     2.1
|     3.0
|     3.0.2
|_    3.1.1

Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

Enumerate SMB Shares

nmap -p 445 --script smb-enum-shares nerdherd.thm

Host is up (0.087s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.180.123\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (nerdherd server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.180.123\nerdherd_classified: 
|     Type: STYPE_DISKTREE
|     Comment: Samba on Ubuntu
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\chuck\nerdherd_classified
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.180.123\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

Enumerate SMB Users

nmap -p 445 --script smb-enum-users nerdherd.thm


PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-users: 
|   NERDHERD\chuck (RID: 1000)
|     Full name:   ChuckBartowski
|     Description: 
|_    Flags:       Normal user account

Nmap done: 1 IP address (1 host up) scanned in 5.62 seconds
┌──(rfs㉿PopLabSec)-[~/TryHackMe/THM_NerdHerd]
└─$ smbclient -L //nerdherd.thm/ -U anonymous                                                                   1 ⨯
Enter WORKGROUP\anonymous's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        nerdherd_classified Disk      Samba on Ubuntu
        IPC$            IPC       IPC Service (nerdherd server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            NERDHERD
msf6> use auxiliary/scanner/smb/smb_enumshares
msf6 > set SpiderShares true
SpiderShares => true
msf6 auxiliary(scanner/smb/smb_enumshares) > run

[*] 10.10.180.123:139     - Starting module
[*] 10.10.180.123:445     - Starting module
[!] 10.10.180.123:445     - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 10.10.180.123:445     - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 10.10.180.123:445     - print$ - (DISK) Printer Drivers
[+] 10.10.180.123:445     - nerdherd_classified - (DISK) Samba on Ubuntu
[+] 10.10.180.123:445     - IPC$ - (IPC|SPECIAL) IPC Service (nerdherd server (Samba, Ubuntu))
[*] 10.10.180.123:445     - Skipping IPC$
[*] nerdherd.thm:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Youtube Nmap - SMB Enumeration

🟠
Welcome to SMB Penetration Testing GuideSMB Penetration Testing
Logo