SMB Enumeration Cheatsheet

SMB Enumeration

Checklist

• Authentication
  • null/anon: netexec smb <ip> -u '' -p ''
  • guest: netexec smb <ip> -u 'guest' -p ''
  • user list + single password: netexec smb <ip> -u ./users.txt -p '<single-password>' -d '<domain>'
  • bruteforce (wordlist attack) single user: netexec smb <ip> -u <single-user> -p ./passwords.txt -d '<domain>'
• Enumerate Host
  • netexec smb <ip>
  • enum4linux -a <ip>
• List Shares
  • netexec smb <ip> -u '' -p '' --shares
  • smbclient -N -L //<ip>
• Enumerate SMB Signing
  • nmap -p445 --script smb2-security-mode <ip/cidr>
  • netexec smb <ip/cidr> --gen-relay-list <output-file>
• Enumerate Password Policy
  • netexec smb -u '' -p '' --pass-pol
• Enumerate Files
  • smbclient //<ip>/<share> -N
  • smbclient //<ip>/<share> -U '<username>' '<password>'
  • netexec smb -u '<user>' -p '<pass>' -M spider_plus
  • smbclient.py '<domain>/<user>:<pass>@<ip/host>' -k -no-pass - Kerberos auth
  • manspider.py --threads 256 <IP/CIDR> -u '<username>' -p '<pass>' <options>
• User enumeration
  • RID Cycling
    • lookupsid.py guest@<ip> -no-pass
    • netexec smb <ip> -u 'guest' -p '' --rid-brute 10000
  • SAM Remote Protocol - samrdump.py '<domain>/<user>:<pass>@<ip>'
  • kerberos /w user list
    • sudo nmap -p 88 --script "krb5-enum-users" --script-args "krb5-enum-users.realm='<domain>',userdb=<user-list.txt>" <dc-ip>
    • kerbrute -d <domain> --dc <dc-ip> -o <log-file.txt> userenum <user-list.txt>
• Check for Vulnerabilities - nmap --script smb-vuln* -p 139,445 <ip/cidr>

---

Related

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "smb") OR contains(tags, "enumeration") OR contains(tags, "windows") OR contains(tags, "active-directory")
SORT file.ctime DESC

smb

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "smb")
SORT file.ctime DESC

enumeration

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "enumeration")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

active-directory

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "active-directory")
SORT file.ctime DESC