139, 445 - SMB


nmap -v -p 139,445 $targetip-254 -oG smb.txt 

search for nmap NSE scripts

ls -1 /usr/share/nmap/scripts/smb*

Nmap NSE script

nmap --script "safe or smb-enum-*" -p 139,445 $targetip

NSE SMB enumeration scripts:

  • smb-enum-domains

  • smb-enum-groups

  • smb-enum-processes

  • smb-enum-services

  • smb-enum-sessions

  • smb-enum-shares

  • smb-enum-users

nmap -v -p 139, 445 --script=smb-os-discovery $targetip-254

Unsafe option. scripts will crash the vulnerable system:

nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 $targetip

Search for known vulnerabilities:

nmap --script smb-vuln* -p 139,445 -oN smb-vuln-scan $targetip


nbtscan -r $targetip/24


Run everything, runs all options apart from dictionary based share name guessing:

enum4linux -a $targetip

With credentials:

enum4linux -a -u "<username>" -p "<passwd>" $targetip
  • -a: Do all simple enumeration (-U -S -G -P -r -o -n -i).

  • -u <user>: specify username to use.

  • -p <pass>: specify password to use.

Other enum4linux commands:

#Verbose mode, shows the underlying commands being executed by enum4linux
enum4linux -v $targetip
#Lists usernames, if the server allows it - (RestrictAnonymous = 0)
enum4linux -U $targetip
#If you've managed to obtain credentials, you can pull a full list of users regardless of the RestrictAnonymous option
enum4linux -u administrator -p password -U $targetip
#Pulls usernames from the default RID range (500-550,1000-1050)
enum4linux -r $targetip
#Pull usernames using a custom RID range
enum4linux -R 600-660 $targetip
#Lists groups. if the server allows it, you can also specify username -u and password -p
enum4linux -G $targetip
#List Windows shares, again you can also specify username -u and password -p
enum4linux -S $targetip
#Perform a dictionary attack, if the server doesn't let you retrieve a share list
enum4linux -s shares.txt $targetip
#Pulls OS information using smbclient, this can pull the service pack version on some versions of Windows
enum4linux -o $targetip
#Pull information about printers known to the remove device.
enum4linux -i $targetip

Smbclient / smbmap / crackmapexec

List shared folders

It is always recommended to look if you can access to anything, if you don't have credentials try using null credentials/guest user.

smbclient --no-pass -L //$targetip # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //$targetip #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash

smbmap -H $targetip [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H $targetip [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H $targetip [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H $targetip [-P <PORT>] #Recursive list

crackmapexec smb $targetip -u '' -p '' --shares #Null user
crackmapexec smb $targetip -u 'asdasdasd' -p 'asdasdasd'
crackmapexec smb $targetip -u 'username' -p 'password' --shares #Guest user
crackmapexec smb $targetip -u 'username' -H '<HASH>' --shares #Guest user

Connect/List a shared folder

#Connect using smbclient
smbclient --no-pass \\\\$targetip\\<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //$targetip 
#If you omit the pwd, will be asked. 
#With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls'  to list recursively with smbclient

#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H $targetip [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H $targetip [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H $targetip [-P <PORT>] #Pass-the-Hash

Mount Shares

mount -t cifs -o username=user,password=password //$targetip/Share /mnt/share

Download Files

Create a tar file of the files under users/docs.

smbclient //$targetip/Share "" -N -Tc backup.tar users/docs

Possible Errors

SMB Protocol Negotiation Failed

Normally SMB takes care of choosing the appropriate protocol for each connection. However, if the offered protocols are out of client’s default range, it will return an error message like this:

Protocol negotiation failed: NT_STATUS_IO_TIMEOUT


Edit the connection protocol range in the client configuration file. Add client min protocol and client max protocol settings to /etc/samba/smb.conf under [global].

# /etc/samba/smb.conf
client min protocol = CORE
client max protocol = SMB3

Last updated