Fingerprint SMB Version

smbclient -L //192.168.1.100
Find open SMB Shares 
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
Enumerate SMB Users 
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID Cycling:

ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

Metasploit module for RID cycling:

use auxiliary/scanner/smb/smb_lookupsid
Manual Null session testing:

Windows:

net use \\TARGET\IPC$ "" /u:""

Linux:

smbclient -L //192.168.99.131
NBTScan unixwiz

Install on Kali rolling:

apt-get install nbtscan-unixwiz 
nbtscan-unixwiz -f 192.168.0.1-254 

>

 nbtscan

Check SAMBA service using metasploit use

auxiliary/scanner/smb/smb_version

Check for SMB related vulnerability using ‘smb-check-vulns’ nmap script.

  • SMB OS Discovery
    nmap $ip --script smb-os-discovery.nse

  • Nmap port scan
    nmap -v -p 139,445 -oG smb.txt $ip-254

  • Netbios Information Scanning
    nbtscan -r $ip/24

  • Nmap find exposed Netbios servers
    nmap -sU --script nbstat.nse -p 137 $ip

  • Nmap all SMB scripts scan

    nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip

  • Nmap all SMB scripts authenticated scan

    nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip

  • SMB Enumeration Tools
    nmblookup -A $ip

    smbclient //MOUNT/share -I $ip -N

    rpcclient -U "" $ip

    enum4linux $ip

    enum4linux -a $ip

  • SMB Finger Printing
    smbclient -L //$ip

  • Nmap Scan for Open SMB Shares
    nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24

  • Nmap scans for vulnerable SMB Servers
    nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip

  • Nmap List all SMB scripts installed
    ls -l /usr/share/nmap/scripts/smb*

  • Enumerate SMB Users

    nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14

    OR

    python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip

  • RID Cycling - Null Sessions
    ridenum.py $ip 500 50000 dict.txt

  • Manual Null Session Testing

    Windows:net use \\$ip\IPC$ "" /u:""

    Linux:smbclient -L //$ip

results matching ""

    No results matching ""