SMB
SMB Enumeration Cheat Sheet¶
Basic SMB Connection¶
| Options | Commands | Description |
|---|---|---|
smbclient -L //$target | List shares on the SMB server | |
-U user | smbclient -L //$target -U user | List shares on the SMB server with a specific user |
smbclient //$target/share | Connect to a specific share on the SMB server | |
-U user | smbclient //$target/share -U user | Connect to a specific share with a specific user |
-N | smbclient -L //$target -N | List shares without password prompt (useful for anonymous access) |
-k | smbclient -L //$target -k | Use Kerberos authentication |
Common Commands¶
| Options | Commands | Description |
|---|---|---|
ls | List files and directories in the current SMB share | |
get filename | Download a file from the SMB share | |
put filename | Upload a file to the SMB share | |
smbget -R smb://$target/share | Recursively download a share | |
-r | smbclient -L //$target -U user -r | Connect in read-only mode |
SMB Enumeration Tools¶
| Options | Commands | Description |
|---|---|---|
enum4linux $target | Perform enumeration of SMB information using enum4linux | |
-a | enum4linux -a $target | Perform a full enumeration using all options in enum4linux |
smbmap -H $target | Enumerate SMB shares and permissions using smbmap | |
-u user -p password | smbmap -H $target -u user -p password | Enumerate SMB shares with specific credentials using smbmap |
crackmapexec smb $target | Enumerate SMB shares and users using CrackMapExec | |
-u user -p password | crackmapexec smb $target -u user -p password | Enumerate SMB shares with specific credentials using CrackMapExec |
Brute Forcing SMB¶
| Options | Commands | Description |
|---|---|---|
-t 4 | hydra -t 4 -l user -P passwords.txt smb://$target | Brute force SMB login with Hydra using 4 threads |
-u -t 4 | medusa -h $target -U users.txt -P passwords.txt -M smb -t 4 | Brute force SMB login with Medusa using user and password lists |
crackmapexec smb $target -u users.txt -p passwords.txt | Brute force SMB login with CrackMapExec using user and password lists |
SMB Specific NSE Scripts¶
| Options | Commands | Description |
|---|---|---|
nmap --script smb-enum-shares -p445 $target | Enumerate SMB shares | |
nmap --script smb-enum-users -p445 $target | Enumerate SMB users | |
nmap --script smb-os-discovery -p445 $target | Discover the OS version running on the SMB server | |
nmap --script smb-vuln-ms17-010 -p445 $target | Check for the MS17-010 (EternalBlue) vulnerability | |
--script="smb-*" | nmap --script="smb-*" -p445 $target | Run all SMB related scripts |