SMB - TCP 139, 445
Checking NetBIOS names
sudo nbtscan -r 10.11.1.0/24Enumerate SMB shares using enum4linux
enum4linux -a <target ip>
enum4linux -u 'guest' -p '' -a <target ip>Check for NULL sessions
rpcclient -U "" -N <target ip>
smbclient \\\\<target ip>\\$SHARE_NAMEAuthenticate to an SMB share using an NTLM hash
smbclient \\\\<target ip>\\<share name> -U '<username>' --pw-nt-hash <NTLM hash>Scan for vulnerabilities with Nmap
nmap --script smb-vuln* -p 139,445 <target ip>Enumerate users with Nmap
nmap -script smb-enum-users.nse -script-args=unsafe=1 -p 139,445 <target ip>List shares with smbmap
smbmap -H <target ip>List shares with smbmap and an NTLM hash
smbmap -H \\\\<target ip>\\ -U '<username>' -H <NTLM hash>List shares from Windows command line
Map shared drives to machine
Last updated