← Back to search

SMB (445/139)

enumerationports

Summary

Always try null and guest sessions first. List shares, connect to readable ones, then spider for configs, scripts, and GPP passwords. Map share ACLs with smbmap.

Walkthrough

SMB (445/139) is one of the highest-value enumeration targets on Windows.

Steps

  1. Null / guest sessionsmbclient -L //<IP>/ -N and

nxc smb <IP> -u '' -p '' --shares. A surprising number of shares are readable anonymously.

  1. List & read shares — connect with smbclient //<IP>/<share> and pull

anything interesting (get, or mask ""; recurse; mget *).

  1. Spider-M spider_plus (NetExec) crawls every readable share and dumps

a JSON of files; grep it for password, .config, .kdbx, scripts.

  1. Check write accesssmbmap shows READ/WRITE per share; a writable share

can mean webshell upload or SCF/.lnk hash-capture attacks.

Credentialed

With creds, re-run everything and add --rid-brute (enumerate users), --pass-pol, and --users. A Pwn3d! from NetExec means admin → dump SAM/NTDS.

> GPP passwords live in SYSVOL (Groups.xml); decrypt with gpp-decrypt.

Commands

bash

# List shares (null/guest session)
smbclient -L //<IP>/ -N
smbclient -L //<IP>/ -U <USER>

bash

# Enumerate with NetExec, including null/guest
nxc smb <IP> -u '' -p '' --shares
nxc smb <IP> -u guest -p '' --shares

bash

# Connect to a specific share
smbclient //<IP>/<SHARE> -U '<TARGET>/<USER>%<PASS>'
impacket-smbclient '<TARGET>/<USER>:<PASS>'@<IP>

bash

# Spider shares for interesting files / GPP passwords
nxc smb <IP> -u <USER> -p '<PASS>' -M spider_plus
smbmap -H <IP> -u <USER> -p '<PASS>'

bash

# Quick nmap share enum
nmap --script smb-enum-shares,smb-enum-users -p 139,445 <IP>