Skip to content

05. SMB Samba Part 2

Nmap scripts,rpcclient, enum4linux, and Metasploit commands to enumerate SMB services, users, shares, and security configurations.

1. Detecting SMB Version

Command:

nmap <IP Address> -p 445 -sV

Explanation:

  • Scans port 445 (SMB) and detects the version of the running SMB service.
  • -sV enables service version detection.

Example Output:

PORT    STATE SERVICE       VERSION
445/tcp open  microsoft-ds  Windows 10 Pro 1909

Real-World Use Case:

  • Helps identify outdated SMB versions susceptible to vulnerabilities like EternalBlue.

2. Enumerating SMB Server Information Using RPCClient

Command:

rpcclient -U "" -N <IP Address>
  • Connects to the target SMB service without authentication.

Running srvinfo to Get System Details:

srvinfo
exit

Example Output:

Domain Name: WORKGROUP
OS: Windows Server 2016 Standard 14393

Real-World Use Case:

  • Determines the operating system and domain information for reconnaissance.

3. Enumerating SMB Using Enum4linux

Command:

enum4linux -o <IP Address>

Explanation:

  • Performs a comprehensive enumeration of SMB services, including users, shares, and domain policies.

Real-World Use Case:

  • Used for gathering information about users, groups, and shared folders.

4. Listing SMB Shares Using SMBClient

Command:

smbclient -L <IP Address> -N

Explanation:

  • Lists available SMB shares on the target.
  • -N prevents password prompt.

Example Output:

Sharename       Type
ADMIN$          Disk
C$              Disk
IPC$            IPC

Real-World Use Case:

  • Identifies accessible shared folders that may contain sensitive data.

5. Checking SMB Protocol Versions

Command:

nmap <IP Address> -p 445 --script smb-protocols

Explanation:

  • Detects SMB versions supported by the target (SMBv1, SMBv2, SMBv3).
  • SMBv1 is vulnerable to exploits like EternalBlue (MS17-010).

6. Scanning SMBv2 Support with Metasploit

Commands:

msfconsole
use auxiliary/scanner/smb/smb_version
set RHOSTS <IP Address>
run

Explanation:

  • Determines if the target supports SMBv2, which is more secure than SMBv1.

Real-World Use Case:

  • Helps detect outdated SMB protocols that could be exploited.

7. Enumerating SMB Users

Command:

nmap <IP Address> -p 445 --script smb-enum-users

Explanation:

  • Retrieves a list of users configured on the SMB server.

Example Output:

| smb-enum-users:
|   Users:
|     Administrator
|     Guest

Real-World Use Case:

  • Helps in identifying user accounts that could be targeted in brute-force attacks.

8. Enumerating Users with Enum4linux

Command:

enum4linux -U <IP Address>

Explanation:

  • Extracts user details from the SMB server.

Real-World Use Case:

  • Useful for identifying weak user accounts and permissions.

9. Enumerating Domain Users with RPCClient

Command:

rpcclient -U "" -N <IP Address>
  • Connects to the target SMB service without authentication.

Running enumdomusers to Get User List:

enumdomusers

Running lookupnames to Identify Specific Users:

lookupnames admin

Example Output:

User: admin (RID: 500)

Real-World Use Case:

  • Identifies domain users and privileged accounts for further exploitation.

Summary

These Nmap, Metasploit, and SMB-related commands provide valuable insights into SMB security, misconfigurations, and potential attack vectors. Properly securing SMB services can help prevent unauthorized access, data leaks, and network intrusions.

Mitigation Strategies:

  1. Disable SMBv1 – Prevents exploitation via known vulnerabilities.
  2. Restrict Anonymous Access – Ensures only authenticated users can access SMB shares.
  3. Use Strong Credentials – Protects against brute-force attacks.
  4. Enable SMB Signing and Encryption – Prevents Man-in-the-Middle (MITM) attacks.
  5. Monitor SMB Logs – Detects suspicious activity in real time.