Pentesting, Tips & Tricks

Enumerating SMB for Pentesting (Ports 445, 139)

Using NMAP

Scan for popular RCE exploits.

sudo nmap -p 139,445 --script smb-vuln* <ip-addr> -oA nmap/smb-vuln

Identify the SMB/OS version.

nmap -v -p 139,445 --script=smb-os-discovery.nse <ip-addr>


To list out the shares and associated permissions:

smbmap -H <ip-addr>

To list out the shares recursively:

smbmap -R <sharename> -H <ip-addr>

To list shares as an authenticated user:

smbmap -d <domain> -u <username> -p <password> -H <ip-addr>

To download a particular file.

smbmap -R <sharename> -H <ip-addr> -A <filename> -q


To list out the shares:

smbclient -L \\\\<ip-addr>

To connect to shares:

sudo smbclient \\\\<ip-addr>\\<share>

Downloading files:

Once connected, you can download files. You’ll want to disable interactive prompts and turn recursive mode ON.

smb: /> prompt
smb: /> recurse

smb: /> mget *

Using RPCClient

Testing for Null Sessions:

To test for null sessions, you can use the following command. If it connects, then you’ll be able to issue rpc client commands for further enumeration.

rpcclient -U "" -N [ip]

-U ""  = Null Session
-N  = No Password

Using Enum4Linux

The following command will attempt to establish a null session with the target and then use RPC to extract useful information.

enum4linux -a [ip]

Example output is long, but some highlights to look for:

  • Listing of file shares and printers.
  • Domain/Workgroup information.
  • Password policy information.
  • RID cycling output to enumerate users and groups.

Mounting SMB Shares

The following command will mount the remote file-share to /mnt/smb/ (this directory must exist first) and prompt you for the password.

mount -t cifs -o username=<user> //<targetIP>/<shareName> /mnt/smb/

Gaining a Shell

Once you have valid credentials on the machine, or a valid NTLM hash, you can leverage the following guide to gain a shell.

Enumerating SMB Version

If your tools aren’t working to enumerate the version, you can establish a connection via smbclient and then extract the Samba/SMB version through a packetcapture. To automate the process, you can use the script available at

Troubleshooting Common Errors:

protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

This error occurs because your modern tools are not able to communicate to older, insecure protocols. You just need to tell your smbd daemon to use the weaker and more insecure protocols.

Note: If you are using smbd in real life for file and printer sharing, I don’t recommend leaving you system like this.

Open the following files in your favorite text editor.


Find the Global section, and add the following line.

client min protocol = LANMAN1

With that line added, restart your smdb service and you should now be able to connect.

service smbd restart

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s