SMB( Server Message Block protocol) is a client-server communication protocol that is used for sharing access to files, devices, serial ports, and other resources on a network. SMB enumeration is a multipart process in which we enumerate the host or target system for different information like Hostnames, List shares, null sessions, checking for vulnerabilities, etc.
SMB Enumeration Stages:
SMB Enumeration for Hostname
There are plenty of tools that can enumerate Hostname, here to demonstrate we are using nmblookup and nbtscan. Nmblookup tool makes use of queries of the NetBIOS names and maps them to their related IP addresses in a network.
1. Nmblookup:
$ nmblookup -A <Target IP>
Here, you can see that we have enumerated the hostname to CAJA.
2. Nbtscan:
$ nbtscan <target IP>
Here, you can see that we have enumerated the hostname to CAJA as the same as the above scan through nmblookup.
SMB Enumeration for Share and Null Session:
In this part, we are going to enumerate shares of the host or target system. We can perform this enumeration with many tools, for this article we are going to use smbmap, smbclient, Nmap, and Metasploit for different ways of performing this share enumeration.
1. Smbmap: Smbmap allows the attacker to enumerate samba share drives on the IP address. It also lists drive permissions and upload/download functionality.
$ smbmap -H <target IP>
Also, you can scan for specific user shares using the credentials by using the below command
$ smbmap -H <target IP> -u username -p password
2. smbclient: It is a samba-client, and it is useful to test connectivity to windows shares.
$ smbclient -L <target IP>
3. Nmap: Nmap provides smb-enum-shares NSE script which can be used to enumerate the shares.
$ nmap --script smb-enum-shares -p 139,445 <Target IP>
Here is the result as you can see that we didn't find any SMB share detail.
4. Metasploit: In Metasploit, we are going to the smb_enumshares module that will enumerate any SMB share if present on the server.
msf6> use auxiliary/scanner/smb/smb_enumshares
msf6> auxiliary(scanner/smb/smb_enumshares) > set rhosts <target IP>
msf6> auxiliary(scanner/smb/smb_enumshares) > set smbuser <username>
msf6> auxiliary(scanner/smb/smb_enumshares) > set smbpass <password>
msf6> auxiliary(scanner/smb/smb_enumshares) > exploit
SMB Enumeration for Vulnerability Scanning:
In this stage, we use Nmap's script for scanning for vulnerabilities that could possibly be found on the server. We can use various tools for this stage but here we are going to look at Nmap's NSE script.
Nmap's smb-vuln NSE Script:
Nmap has a wide range of scripts for different purposes, here as an example we are going to look at smb-check-vulns. This script can scan targets for a wide range of vulnerabilities, for example:
- a -3103
- regsv-dos
- ms06 -025
$ sudo nmap --script smb-vuln* -p 139,445 <Target IP>
Example:
Result here we scanned the target for the specific script, and we didn't find any vulnerability as we can see in the scan.
SMB Enumeration by Enum4Linux:
Enum4linux is a powerful tool that can detect and fetch data from both windows and Linux OS, also SMB hosts on the network.
$ enum4linux -U <target IP>
Example:
Result:
As we can see that it has enumerated all the user information that is present on the network.
Similar Reads
SMTP Enumeration
SMTP (Simple Mail Transfer Protocol) is a set of communication guidelines that allow web applications to perform communication tasks over the internet, including emails. It is a part of the TCP/IP protocol and works on moving emails across the network. SMTP enumeration allows us to identify valid us
2 min read
SNMP Enumeration
Simple Network Management Protocol (SNMP) is an application layer protocol that runs on UDP and maintains and manages IP network routers, hubs, and switches. SNMP agents run on networking devices in Windows and UNIX networks.SNMP (Simple Network Management Protocol) is an application layer protocol
6 min read
Enumeration in Scala
An enumerations serve the purpose of representing a group of named constants in a programming language. Refer Enumeration (or enum) in C and enum in Java for information on enumerations. Scala provides an Enumeration class which we can extend in order to create our enumerations. Declaration of enume
3 min read
What is NetBIOS Enumeration?
NetBIOS is an acronym that stands for Network Basic Input Output System. It enables computer communication over a LAN and the sharing of files and printers. TCP/IP network devices are identified using NetBIOS names (Windows). It must be network-unique and limited to 16 characters, with 15 reserved f
5 min read
What is IPsec Enumeration?
In the world of computer hacking, IPsec enumeration is a process by which attackers are able to perform authentication on an IPsec system. It can allow them to gain access to the network and gather information. IPsec Enumeration: IPsec's enumeration is the process of gaining access to security keys
4 min read
User Enumeration in Ethical Hacking
User enumeration is an important stage in penetration testing where the hacker will use a set of methods to find out valid user names on a company’s network. They will then attempt to use each of these usernames and passwords until they are able to gain unauthorized access to the system. User Enumer
3 min read
Playing with Numbers
Playing with Numbers: Numbers are the mathematical objects used to count, measure, and label. The original examples are the natural numbers 1, 2, 3, 4, and so forth. Numbers can be represented in language with number words. More universally, individual numbers can be represented by symbols, called n
11 min read
Rust - Enum
An enum in Rust is a custom data type that represents data that can be anyone among several possible variants. Each variant in the enum can optionally have data associated with it. An enumerated type is defined using the enum keyword before the name of the enumeration. It also consists of methods. S
3 min read
What is Security Testing in Enumeration?
Security Testing in Enumeration is when a tester repeatedly performs the same task on a system to see if vulnerabilities exist. One way that a tester might do this is by creating scripts or programs to test for the existence of security issues in the system's software code. A good example of this ty
4 min read
Numbers 1 to 50
Numbers 1 to 50 are fundamental in early education, forming the building blocks for counting, arithmetic, and number recognition. These numbers are important for developing a child's numeracy skills, enabling them to perform basic mathematical operations and understand the sequence of numbers.In thi
7 min read