🛡️ Methodology Checklist
- Detect SMB version and dialect:
nmap -p 445 --script smb-protocols [TARGET] - Null session enumeration:
smbclient -N -L //[TARGET] - Share listing with credentials:
smbclient -L //[TARGET] -U [USER] - Enumerate users/shares/policies:
enum4linux-ng [TARGET] - Check for writable shares and sensitive file access
- Test for common vulns:
nmap --script smb-vuln-* -p 445 [TARGET] - MS17-010 check:
nmap --script smb-vuln-ms17-010 -p 445 [TARGET] - NXC spray:
nxc smb [TARGET] -u users.txt -p passwords.txt --no-bruteforce
🎯 Operational Context
Think Dumber First: NULL session check first —
smbclient -N -L //[TARGET]costs nothing and reveals share names on many older or misconfigured Windows systems. Then check EternalBlue (MS17-010) on any pre-2019 Windows. Modern Windows: focus on credential reuse with NXC before any exploit attempts.
When you land here: Port 445 open. Run nmap --script smb-vuln-ms17-010,smb-enum-shares,smb-enum-users -p 445 [TARGET]. Then smbclient -N -L //[TARGET]. If credentials available, run nxc smb [TARGET] -u [USER] -p [PASS] --shares.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -sV -sC -p139,445 | Nmap scan with version detection and default scripts |
smbclient -N -L //[TARGET_IP] | List shares via null session (no password) |
smbclient //[TARGET_IP]/[SHARE] | Connect to a specific SMB share |
rpcclient -U "" [TARGET_IP] | Connect via RPC null session |
smbmap -H [TARGET_IP] | Map shares and check Read/Write permissions |
nxc smb [TARGET_IP] --shares -u '' -p '' | Enumerate shares with null credentials |
./enum4linux-ng.py [TARGET_IP] -A | Comprehensive automated RPC + SMB enumeration |
| Command | Tactical Outcome |
|---|---|
ls | List files in current share |
get [FILE] | Download a file |
put [FILE] | Upload a file |
!cat [FILE] | Execute local command |
| Command | Tactical Outcome |
|---|---|
srvinfo | Server OS and version |
enumdomains | List all deployed domains |
querydominfo | Domain, server, and user information |
netshareenumall | Enumerate all available shares |
netsharegetinfo [SHARE] | Info about a specific share |
enumdomusers | List all domain users |
queryuser [RID] | Details for a specific user RID |
🔬 Deep Dive & Workflow
Inside smbclient shell: Inside rpcclient:
Initial Enumeration
- Nmap:
sudo nmap [TARGET_IP] -sV -sC -p139,445 - List shares via null session:
smbclient -N -L //[TARGET_IP] - Map share permissions:
smbmap -H [TARGET_IP] - RPC null session:
rpcclient -U "" [TARGET_IP]- Run
srvinfo— server OS version - Run
enumdomusers— list domain users - Run
netshareenumall— list all shares
- Run
- Run
enum4linux-ng.py [TARGET_IP] -Afor full automated report - Check
nxc smb [TARGET_IP] --shares -u '' -p ''
Attacks
- Access readable shares and download all files
- Check for writable shares → upload malicious file or web shell
- Enumerate users via RPC → build username list for password attacks
- Use
queryuser [RID]to get login times, group memberships - Credential brute-force if null sessions blocked (CrackMapExec/NetExec)
- Check Samba config for dangerous settings if local access available
Core Concept
SMB (Server Message Block) is a client-server protocol for sharing files, printers, and other resources.
- Ports: 137, 138, 139 (NetBIOS legacy) | 445 (Direct TCP, modern)
- Samba: Linux/Unix re-implementation — enables cross-platform SMB communication.
Dangerous Samba Settings (/etc/samba/smb.conf)
| Setting | Risk |
|---|---|
browseable = yes | Share visible in listings — enables enumeration |
guest ok = yes | Allows passwordless connection |
read only = no / writable = yes | Allows file creation/modification |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| smbclient -N returns ‘NT_STATUS_ACCESS_DENIED’ | NULL sessions disabled (post-2003 default) | Try guest: smbclient -U guest% -L //[TARGET]; with credentials: smbclient -U [USER]%[PASS] -L //[TARGET] |
| NXC shows ‘SMB STATUS_NOT_SUPPORTED’ | Tool defaulting to SMBv1 which is disabled | Use nxc (newer) instead of crackmapexec; add --smb-port 445; target must have SMBv2/3 |
| EternalBlue scanner shows vulnerable but exploit fails | Wrong architecture or memory state | Confirm x64 vs x86 with systeminfo; try Python EternalBlue PoC; use MSF ms17_010_psexec instead of eternalblue |
| Share access works in smbclient but nmap smb-enum-shares returns nothing | SMB signing causing script failure | Use nxc smb [TARGET] -u [USER] -p [PASS] --shares as authoritative share lister |
| Credentials valid but cannot write to writable share | NTFS permissions vs share permissions | Map with smbmap -H [TARGET] -u [USER] -p [PASS] to see NTFS access level; read access ≠ write access |
📝 Reporting Trigger
Finding Title: SMB NULL Session Enabled / Unauthenticated Share Access / EternalBlue (MS17-010)
Impact: User account enumeration, share listing, and potential RCE (EternalBlue) without credentials. Authenticated shares may expose sensitive internal data.
Root Cause: RestrictAnonymous registry value set to 0. SMBv1 enabled. Missing MS17-010 security patch (KB4012212).
Recommendation: Set RestrictAnonymous=2. Disable SMBv1 (Set-SmbServerConfiguration -EnableSMB1Protocol $false). Apply MS17-010 patch. Enforce SMB signing. Restrict share permissions to minimum required accounts.