Run everything, runs all options apart from dictionary based share name guessing:
enum4linux-a $targetip
With credentials:
enum4linux-a-u"<username>"-p"<passwd>" $targetip
Parameters
-a: Do all simple enumeration (-U -S -G -P -r -o -n -i).
-u <user>: specify username to use.
-p <pass>: specify password to use.
Other enum4linux commands:
#Verbose mode, shows the underlying commands being executed by enum4linuxenum4linux-v $targetip#Lists usernames, if the server allows it - (RestrictAnonymous = 0)enum4linux-U $targetip#If you've managed to obtain credentials, you can pull a full list of users regardless of the RestrictAnonymous optionenum4linux-uadministrator-ppassword-U $targetip#Pulls usernames from the default RID range (500-550,1000-1050)enum4linux-r $targetip#Pull usernames using a custom RID rangeenum4linux-R600-660 $targetip#Lists groups. if the server allows it, you can also specify username -u and password -penum4linux-G $targetip#List Windows shares, again you can also specify username -u and password -penum4linux-S $targetip#Perform a dictionary attack, if the server doesn't let you retrieve a share listenum4linux-sshares.txt $targetip#Pulls OS information using smbclient, this can pull the service pack version on some versions of Windowsenum4linux-o $targetip#Pull information about printers known to the remove device.enum4linux-i $targetip
Smbclient / smbmap / crackmapexec
List shared folders
It is always recommended to look if you can access to anything, if you don't have credentials try using nullcredentials/guest user.
smbclient--no-pass-L//$targetip # Null usersmbclient -U 'username[%passwd]' -L [--pw-nt-hash] //$targetip #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap-H $targetip [-P <PORT>]#Null usersmbmap-u"username"-p"password"-H $targetip [-P <PORT>]#Credssmbmap-u"username"-p"<NT>:<LM>"-H $targetip [-P <PORT>]#Pass-the-Hashsmbmap-R-u"username"-p"password"-H $targetip [-P <PORT>]#Recursive listcrackmapexecsmb $targetip -u''-p''--shares#Null usercrackmapexecsmb $targetip -u'asdasdasd'-p'asdasdasd'crackmapexecsmb $targetip -u'username'-p'password'--shares#Guest usercrackmapexecsmb $targetip -u'username'-H'<HASH>'--shares#Guest user
Connect/List a shared folder
#Connect using smbclientsmbclient--no-pass \\\\$targetip\\<Folder>smbclient-U'username[%passwd]'-L [--pw-nt-hash] //$targetip #If you omit the pwd, will be asked. #With --pw-nt-hash, the pwd provided is the NT hash#Use --no-pass -c 'recurse;ls' to list recursively with smbclient#List with smbmap, without folder it list everythingsmbmap [-u "username"-p"password"]-R [Folder] -H $targetip [-P <PORT>] # Recursive listsmbmap [-u "username"-p"password"]-r [Folder] -H $targetip [-P <PORT>] # Non-Recursive listsmbmap-u"username"-p"<NT>:<LM>" [-r/-R] [Folder] -H $targetip [-P <PORT>] #Pass-the-Hash
Normally SMB takes care of choosing the appropriate protocol for each connection. However, if the offered protocols are out of client’s default range, it will return an error message like this:
Protocolnegotiationfailed:NT_STATUS_IO_TIMEOUT
Solution
Edit the connection protocol range in the client configuration file.
Add client min protocol and client max protocol settings to /etc/samba/smb.conf under [global].