Use Nmap to Scan host for smb exploits
sudo nmap –scripts=smb-vul* <IP Address>
sudo nmap –script=smb-enum* <IP Address>
nmap -v -p 139, 445 –script=smb-os-discovery 10.11.1.227
SMB Version |
Windows version |
CIFS |
Microsoft Windows NT 4.0 |
SMB 1.0 |
Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2 |
SMB 2.0 |
Windows Vista & Windows Server 2008 |
SMB 2.1 |
Windows 7 and Windows Server 2008 R2 |
SMB 3.0 |
Windows 8 and Windows Server 2012 |
SMB 3.0.2 |
Windows 8.1 and Windows Server 2012 R2 |
SMB 3.1.1 |
Windows 10 and Windows Server 2016 |
To be able to download all files on a smb share.
smbclient ‘\\server\share‘
mask “”
recurse ON
prompt OFF
cd ‘path\to\remote\dir’
mget *
Rpcclient is a good tool for enumerating smb
# The -U is used for null username
Rpcclient -U ” 10.11.1.17
rpcclient $> querydomainfo
command not found: querydomainfo
rpcclient $> querydominfo
Domain: WORKGROUP
Server: LUCKY
Comment: lucky server (Samba, Ubuntu)
Total Users: 0
Total Groups: 0
Total Aliases: 0
Sequence No: 1608749220
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
# Used to retrieve list of users present on the system
rpcclient $> enumdomusers
# Used to query user info
rpcclient $> queryuser [username]
Scan netbios information on host
sudo nbtscan -r <IP ADDRESS>
enum4linux – SMB shares can be enumerated via enum4linux.
enum4linux [IP]
List SMB shares on host
smbmap -H 10.10.10.100
Start Simple smb share using python
python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools .
Python2 /usr/share/doc/python3-impacket/examples/smbserver.py tools .
python smbserver.py share /home/kali/FTP
Samba Client connection from Linux
smbclient -L \\\\10.10.10.4\\
smbclient //10.10.10.100/Replication