Skip to content

02. SMB Nmap Scripts

1. Checking SMB Protocol Versions

Command:

nmap -p 445 --script smb-protocols <target>

Explanation:

  • This script detects the SMB protocol versions (SMBv1, SMBv2, SMBv3) supported by the target.
  • SMBv1 is vulnerable to exploits like EternalBlue.

Example Output:

Host script results:
| smb-protocols:
|   dialects:
|     2.02
|     2.10
|     3.00

2. Checking SMB Security Mode

Command:

nmap -p 445 --script smb-security-mode <target>

Explanation:

  • Identifies the security settings of the SMB server, including authentication and encryption requirements.

Example Output:

| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported

3. Enumerating Active SMB Sessions

Command:

nmap -p 445 --script smb-enum-sessions <target>

Explanation:

  • Lists active SMB sessions on the target machine.
  • Can be used to check for unauthorized users.

Example Output:

| smb-enum-sessions:
|   Users logged in:
|     Administrator

4. Enumerating SMB Sessions with Credentials

Command:

nmap -p 445 --script smb-enum-sessions --script-args smbusername=administrator,smbpassword=smbserver_771 <target>

Explanation:

  • Uses valid SMB credentials to retrieve active session details.

5. Enumerating SMB Shares

Command:

nmap -p 445 --script smb-enum-shares <target>

Explanation:

  • Lists all shared folders on the target machine.
  • Reveals accessible shares that may contain sensitive information.

Example Output:

| smb-enum-shares:
|   ADMIN$
|   C$
|   IPC$

6. Enumerating SMB Shares with Authentication

Command:

nmap -p 445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=smbserver_771 <target>

Explanation:

  • Uses provided credentials to access share information.

7. Enumerating SMB Users

Command:

nmap -p 445 --script smb-enum-users --script-args smbusername=administrator,smbpassword=smbserver_771 <target>

Explanation:

  • Lists users in the SMB domain.

Example Output:

| smb-enum-users:
|   Users:
|     Administrator
|     Guest

8. Checking SMB Server Statistics

Command:

nmap -p 445 --script smb-server-stats --script-args smbusername=administrator,smbpassword=smbserver_771 <target>

Explanation:

  • Retrieves performance statistics of the SMB server.

9. Enumerating SMB Domains

Command:

nmap -p 445 --script smb-enum-domains --script-args smbusername=administrator,smbpassword=smbserver_771 <target>

Explanation:

  • Lists domain names configured on the target SMB server.

10. Enumerating SMB Groups

Command:

nmap -p 445 --script smb-enum-groups --script-args smbusername=administrator,smbpassword=smbserver_771 <target>

Explanation:

  • Lists security groups and associated members.

11. Enumerating SMB Services

Command:

nmap -p 445 --script smb-enum-services --script-args smbusername=administrator,smbpassword=smbserver_771 <target>

Explanation:

  • Extracts services running on the SMB server.

12. Listing Files in SMB Shares

Command:

nmap -p 445 --script "smb-enum-shares,smb-ls" --script-args smbusername=administrator,smbpassword=smbserver_771 <target>

Explanation:

  • Combines enumeration of SMB shares with file listing inside them.
  • Useful for identifying exposed files and folders.

Summary

These Nmap SMB scripts help in assessing SMB security, enumerating users, shares, sessions, and potential vulnerabilities. Proper authentication enhances the depth of information gathered.