Samba Enumeration for Penetration Testing - Short Tutorial

While engaging in penetration testing, you often found open ports 139 and port 445. This denotes smb, which stands for server message block. If it is available, this may be your jackpot and help you identify your target's entry point.

smb is a Windows-based network protocol, and the primary purpose of this protocol is to share files between different systems within the same network. Its primary purpose is to share files and printer devices. Windows-based desktops also use it for access to remote services.

I am trying to list all major tools and associated commands which can be used for smb enumeration.

Tools Used

(1) enum4linux

enum4linux is developed in Perl and helps in enumerating data from Samba and Windows hosts. This tool is pre-installed on Kali Linux.

#enum4linux [ip]

(2) Nmap

Nmap has so many scripts to gain a foothold on smb enumeration. First, list all scripts related to smb and run them accordingly using the commands below. Click Here for the Nmap cheat sheet for more useful commands.

#ls /usr/share/nmap/scripts | grep smb 
#nmap --script <smb-scripts> [target-ip]

(3) rpcclient

This tool helps in executing client-side MS-RPC functions.

#rpcclient -U "" -N [target-ip]

-U -> set the network username

-N -> not ask for password

(4) smbclient

This tool is similar to ftp utility. It helps the client to access SMB/CIFS resources on servers.

#smbclient -N -L \\\\[ip]
#smbclient //MOUNT/share -I target -N

(5) nmblookup

NetBIOS over TCP/IP client used to lookup NetBIOS names.

#nmblookup -A [target-ip]

(6) smbmap

These tools help in finding samba share drives across an entire domain.

#smbmap -u [username] -p [password] -H [target-ip]

Conclusion

In this article, we have seen 6 major tools that can be used for smb enumeration. Do comment if you use any of such tools. Also, comment if I miss something.