Back to All Modules

SMB Enumeration

#Overview

Server Message Block (SMB) is the primary file and printer sharing protocol in Windows environments. It functions on ports 139 (NetBIOS session) and 445 (direct SMB over TCP). SMB enumeration aims to discover available shares, test for anonymous (null session) access, enumerate share contents, download sensitive files, and identify the SMB version in use. Misconfigured SMB shares are one of the most common vectors for initial access and information disclosure.

#Prerequisites

  • Tools: smbclient, smbmap, netexec (nxc), enum4linux-ng, Impacket (smbclient.py, lookupsid.py)
  • Access Level: Network access to target (ports 139/445), anonymous or authenticated
  • Recommended: Linux attack host with SMB client tools

#Detection & Enumeration

#Null Session / Anonymous Access Check

A "null session" connects to SMB without credentials. Determine whether anonymous listing is permitted:

# List shares anonymously (press Enter at password prompt or use -N)
smbclient -L //10.10.10.182 -N
smbclient -L //10.10.11.222/ -N
smbclient -L \\\\10.129.178.26\\ -N

# Check if SMB1 is available (legacy, but still useful info)
smbclient --no-pass -L //10.10.11.222
# Output: "SMB1 disabled -- no workgroup available" indicates SMBv2+

# netexec (formerly crackmapexec) authentication status
netexec smb 10.10.10.161 --no-pass
netexec smb 10.10.10.161 -u '' -p '' --shares
BASH

Flag Explanations:

  • -L : List available shares
  • -N : No password (anonymous/null session)
  • --no-pass : netexec flag for null session

#Share Enumeration and File Listing

# Connect to a specific share anonymously
smbclient //10.10.11.222/Development -N
# Inside smbclient shell:
#   ls        : list files/directories
#   cd        : change directory
#   get FILE  : download a file
#   mget *    : download all files
#   help      : show commands

# smbmap -- comprehensive share mapping with permissions
smbmap -H 10.10.10.182 -u anonymous -p ''
smbmap -H 10.10.10.182 -u r.thompson -p 'rY4n5eva'

# smbmap with recursive listing
smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva -R

# smbmap with file download
smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva --download 'IT/Email Archives/Meeting_Notes_June_2018.html'

# netexec share enumeration
netexec smb 10.10.10.161 -u '' -p '' --shares
netexec smb 10.10.10.161 -u user -p pass --shares
netexec smb 10.10.10.161 -u user -p pass --users
netexec smb 10.10.10.161 -u user -p pass --groups
netexec smb 10.10.10.161 -u user -p pass --pass-pol

# Check SMB signing (required for some relay attacks)
netexec smb 10.10.10.161 --gen-relay-list smb_sign_off.txt
BASH

#enum4linux-ng (Comprehensive SMB Enumeration)

# All enumeration (can be slow)
enum4linux-ng 10.10.10.161

# Specific checks
enum4linux-ng 10.10.10.161 -A  # All (equivalent to -U -S -G -P -O -N -I)
enum4linux-ng 10.10.10.161 -U  # User list
enum4linux-ng 10.10.10.161 -S  # Share list
enum4linux-ng 10.10.10.161 -G  # Group list
enum4linux-ng 10.10.10.161 -P  # Password policy
enum4linux-ng 10.10.10.161 -O  # OS information
BASH

#Recursive File Download from a Share

# Using smbclient with recurse mode (download entire share)
smbclient //10.10.11.222/Development -N -c 'prompt OFF; recurse ON; lcd ./smb_downloads/; mget *'

# smbclient with credentials for specific share
smbclient //10.10.10.182/Data -U r.thompson
# Inside shell: cd "Email Archives"; get Meeting_Notes_June_2018.html

# smbmap download from specific path
smbmap -H 10.10.10.182 -u r.thompson -p 'rY4n5eva' --download 'IT/Logs/ArkAdRecycleBin.log'
BASH

#SMB Version Detection

# nmap SMB scripts
nmap --script smb-protocols -p 445 10.10.10.161
nmap --script smb-os-discovery -p 445 10.10.10.161
nmap --script smb2-security-mode -p 445 10.10.10.161

# netexec reveals SMB signing and version
netexec smb 10.10.10.161
# Output includes: (signing:True) (SMBv1:False)
BASH

#Checking Write Access

# smbmap shows permissions per share including READ/WRITE
smbmap -H 10.10.10.182 -u user -p pass

# netexec write check
netexec smb 10.10.10.161 -u user -p pass -M spider_plus

# Manual write check via smbclient
smbclient //10.10.10.161/share -U user%pass -c 'put test.txt'
BASH

#RID Cycling / SID Enumeration via SMB

When null sessions permit IPC$ access, user accounts can be enumerated by brute-forcing Relative Identifiers (RIDs):

# Impacket lookupsid (RID cycling via SMB named pipe)
impacket-lookupsid anonymous@manager.htb -no-pass

# Filter for user accounts only
impacket-lookupsid anonymous@manager.htb -no-pass | grep SidTypeUser

# With known credentials
impacket-lookupsid domain/user:pass@target.htb

# netexec RID brute-force
netexec smb 10.10.10.161 -u user -p pass --rid-brute
BASH

How RID cycling works: Windows assigns sequential Relative Identifiers (the last portion of a SID) to users and groups. Administrator is typically RID 500, Guest is 501, and regular domain users start around 1000+. By querying each RID in sequence, valid accounts are disclosed.

#SMB Enumeration from Windows Host

net view \\target
net view \\target /all
net use \\target\IPC$ "" /u:""
dir \\target\sharename
CMD

#NetExec Additional Modules

# NetExec (nxc) additional SMB modules
nxc smb <target> -u user -p pass --disks             # List disk drives
nxc smb <target> -u user -p pass --sessions          # Active sessions
nxc smb <target> -u user -p pass --loggedon-users    # Logged-on users
nxc smb <target> -u user -p pass --password-policy    # Domain password policy
nxc smb <target> -u user -p pass --local-auth       # Use local auth (not domain)
BASH

#Tool Note: CrackMapExec vs NetExec

#SMB Signing Check

# Check SMB signing enforcement (required for relay attack assessment)
nxc smb <target> --signing
# If signing is NOT required, the target is vulnerable to NTLM relay attacks
# If signing IS required, relay attacks against this target will fail
BASH

#Common Pitfalls

  • Trying smbclient -L without a valid workgroup/domain can fail silently. If listing fails, try specifying the workgroup with -W WORKGROUP.
  • SMBv1 is often disabled (CVE-2017-0144/EternalBlue aftermath). Older tools that use SMBv1 may fail. Use modern tools that negotiate SMBv2+.
  • Null sessions returning NT_STATUS_ACCESS_DENIED for share listing but still permitting IPC$ access -- try RID cycling even when shares can't be listed.
  • File path handling with backslashes in different shells. Always quadruple-escape: \\\\target\\ShareName in bash.
  • Forgetting recurse ON; prompt OFF when using mget in smbclient, causing interactive prompts for every file.
  • Downloading large files from shares without checking disk space. Some HTB machines expose multi-GB files on open shares.

#OPSEC Considerations

  • SMB connection attempts are logged in Windows Security Event Log (Event ID 4625 for failed logons, 4624 for successful). Multiple anonymous connection attempts from one source IP are easily correlated.
  • Share enumeration (smbclient -L) generates Event ID 5140 (network share object accessed) if audit policies are configured.
  • RID cycling generates a distinct pattern of sequential SID lookups that is easily detectable by EDR solutions.
  • Recursive file downloads (mget *) generate heavy SMB traffic and may trigger data exfiltration alerts.
  • SMBv1 is considered insecure and its use alone may trigger security alerts. Most modern Windows systems have SMBv1 disabled by default.
  • Smoke test with a single share access before attempting full recursive downloads. Unusual SMB activity patterns are flagged.
  • Timing your enumeration to coincide with normal business hours SMB activity can help blend in.

#Post-Exploitation Value

  • SMB shares often contain configuration files, scripts, executables, and logs with credentials or sensitive information.
  • NETLOGON and SYSVOL shares on Domain Controllers contain Group Policy files and logon scripts that may reveal passwords or privileged paths.
  • Write access to a share can be used to drop malicious files (SCF files, LNK files, webshells) for hash capture or code execution.
  • Recursive downloads from Development, Data, or custom shares have revealed Ansible vaults, SQLite databases, .NET executables, and backup archives in many HTB machines.

#Cross-References

#Tool References

ToolDescriptionLink
smbclientSMB/CIFS client (Samba suite)Built into most Linux distros
smbmapSMB share enumeration and download toolhttps://github.com/ShawnDEvans/smbmap
netexec (nxc)Multi-protocol pentesting tool (CrackMapExec successor)https://github.com/Pennyw0rth/NetExec
enum4linux-ngSMB enumeration wrapper (modern rewrite)https://github.com/cddmp/enum4linux-ng
ImpacketCollection of Python tools for Windows protocolshttps://github.com/fortra/impacket
PowerViewPowerShell AD reconnaissance (for RBCD/RID ops)https://github.com/PowerShellMafia/PowerSploit

#Source Machines

  • Forest (Easy, AD) -- Anonymous LDAP, no SMB share access until foothold
  • Cascade (Medium, AD) -- smbclient anonymous listing succeeds, r.thompson credentials access Data share with sensitive files
  • Authority (Medium, AD/Windows) -- smbclient anonymous share listing, Development share accessible, contains Ansible vault
  • Support (Easy, Windows) -- Anonymous access to support-tools share reveals UserInfo.exe.zip with LDAP credentials
  • Manager (Medium, AD/Windows) -- Null session allows share listing and RID cycling, users enumerated for password spray