SMB (445/139)
enumerationports
Summary
Always try null and guest sessions first. List shares, connect to readable ones, then spider for configs, scripts, and GPP passwords. Map share ACLs with smbmap.
Walkthrough
SMB (445/139) is one of the highest-value enumeration targets on Windows.
Steps
- Null / guest session —
smbclient -L //<IP>/ -Nand
nxc smb <IP> -u '' -p '' --shares. A surprising number of shares are readable anonymously.
- List & read shares — connect with
smbclient //<IP>/<share>and pull
anything interesting (get, or mask ""; recurse; mget *).
- Spider —
-M spider_plus(NetExec) crawls every readable share and dumps
a JSON of files; grep it for password, .config, .kdbx, scripts.
- Check write access —
smbmapshows READ/WRITE per share; a writable share
can mean webshell upload or SCF/.lnk hash-capture attacks.
Credentialed
With creds, re-run everything and add --rid-brute (enumerate users), --pass-pol, and --users. A Pwn3d! from NetExec means admin → dump SAM/NTDS.
> GPP passwords live in SYSVOL (Groups.xml); decrypt with gpp-decrypt.
Commands
bash
# List shares (null/guest session) smbclient -L //<IP>/ -N smbclient -L //<IP>/ -U <USER>
bash
# Enumerate with NetExec, including null/guest nxc smb <IP> -u '' -p '' --shares nxc smb <IP> -u guest -p '' --shares
bash
# Connect to a specific share smbclient //<IP>/<SHARE> -U '<TARGET>/<USER>%<PASS>' impacket-smbclient '<TARGET>/<USER>:<PASS>'@<IP>
bash
# Spider shares for interesting files / GPP passwords nxc smb <IP> -u <USER> -p '<PASS>' -M spider_plus smbmap -H <IP> -u <USER> -p '<PASS>'
bash
# Quick nmap share enum nmap --script smb-enum-shares,smb-enum-users -p 139,445 <IP>