Run everything, runs all options apart from dictionary based share name guessing:
enum4linux -a $targetip
With credentials:
enum4linux -a -u "<username>" -p "<passwd>" $targetip
Parameters
-a: Do all simple enumeration (-U -S -G -P -r -o -n -i).
-u <user>: specify username to use.
-p <pass>: specify password to use.
Other enum4linux commands:
#Verbose mode, shows the underlying commands being executed by enum4linux
enum4linux -v $targetip
#Lists usernames, if the server allows it - (RestrictAnonymous = 0)
enum4linux -U $targetip
#If you've managed to obtain credentials, you can pull a full list of users regardless of the RestrictAnonymous option
enum4linux -u administrator -p password -U $targetip
#Pulls usernames from the default RID range (500-550,1000-1050)
enum4linux -r $targetip
#Pull usernames using a custom RID range
enum4linux -R 600-660 $targetip
#Lists groups. if the server allows it, you can also specify username -u and password -p
enum4linux -G $targetip
#List Windows shares, again you can also specify username -u and password -p
enum4linux -S $targetip
#Perform a dictionary attack, if the server doesn't let you retrieve a share list
enum4linux -s shares.txt $targetip
#Pulls OS information using smbclient, this can pull the service pack version on some versions of Windows
enum4linux -o $targetip
#Pull information about printers known to the remove device.
enum4linux -i $targetip
Smbclient / smbmap / crackmapexec
List shared folders
It is always recommended to look if you can access to anything, if you don't have credentials try using nullcredentials/guest user.
smbclient --no-pass -L //$targetip # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //$targetip #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap -H $targetip [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H $targetip [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H $targetip [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H $targetip [-P <PORT>] #Recursive list
crackmapexec smb $targetip -u '' -p '' --shares #Null user
crackmapexec smb $targetip -u 'asdasdasd' -p 'asdasdasd'
crackmapexec smb $targetip -u 'username' -p 'password' --shares #Guest user
crackmapexec smb $targetip -u 'username' -H '<HASH>' --shares #Guest user
Connect/List a shared folder
#Connect using smbclient
smbclient --no-pass \\\\$targetip\\<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //$targetip
#If you omit the pwd, will be asked.
#With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls' to list recursively with smbclient
#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H $targetip [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H $targetip [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H $targetip [-P <PORT>] #Pass-the-Hash
Mount Shares
mount -t cifs -o username=user,password=password //$targetip/Share /mnt/share
Normally SMB takes care of choosing the appropriate protocol for each connection. However, if the offered protocols are out of client’s default range, it will return an error message like this:
Protocol negotiation failed: NT_STATUS_IO_TIMEOUT
Solution
Edit the connection protocol range in the client configuration file.
Add client min protocol and client max protocol settings to /etc/samba/smb.conf under [global].
# /etc/samba/smb.conf
[global]
client min protocol = CORE
client max protocol = SMB3