Skip to content

06. SMB Samba Part 3

1. Nmap SMB Enumeration

Command:

nmap <IP Address> -p 445 --script smb-enum-shares

Explanation:

  • -p 445 specifies the SMB port (445).
  • --script smb-enum-shares runs the Nmap script to enumerate SMB shares.
  • This command helps identify shared folders on the target system.

Example:

nmap 192.168.1.10 -p 445 --script smb-enum-shares

2. Metasploit SMB Share Enumeration

Commands:

msfconsole
use auxiliary/scanner/smb/smb_enumshares
set RHOSTS <IP Address>
run

Explanation:

  • This Metasploit module scans for SMB shares on a target system.
  • RHOSTS specifies the target IP.
  • Running this module provides a list of accessible SMB shares.

Example:

msfconsole
use auxiliary/scanner/smb/smb_enumshares
set RHOSTS 192.168.1.10
run

3. Enum4linux Share Enumeration

Command:

enum4linux -S <IP Address>

Explanation:

  • -S flag lists SMB shares.
  • Provides information about accessible shared resources.

Example:

enum4linux -S 192.168.1.10

4. Listing SMB Shares Using SMBClient

Command:

smbclient -L <IP Address> -N

Explanation:

  • -L lists available shares on the SMB server.
  • -N skips password authentication.

Example:

smbclient -L 192.168.1.10 -N

5. Enumerating SMB Groups Using Enum4linux

Command:

enum4linux -G <IP Address>

Explanation:

  • -G flag enumerates groups on the SMB server.
  • Helps identify group memberships, which can be useful for privilege escalation.

Example:

enum4linux -G 192.168.1.10

6. Enumerating Domain Groups Using RPCClient

Commands:

rpcclient -U "" -N <IP Address>
enumdomgroups

Explanation:

  • rpcclient connects to the SMB server and interacts with RPC services.
  • -U "" -N means no username or password is used.
  • enumdomgroups lists domain groups.

Example:

rpcclient -U "" -N 192.168.1.10
enumdomgroups

7. Comprehensive SMB Enumeration Using Enum4linux

Command:

enum4linux -i <IP Address>

Explanation:

  • -i flag performs an in-depth information gathering on SMB services.
  • Retrieves user lists, share lists, group information, etc.

Example:

enum4linux -i 192.168.1.10

8. Accessing a Public SMB Share Using SMBClient

Command:

smbclient //<IP Address>/Public -N

Explanation:

  • Connects to a publicly accessible SMB share named "Public".
  • -N skips authentication.
  • Useful for accessing shared files without credentials.

Example:

smbclient //192.168.1.10/Public -N

These commands help in identifying SMB vulnerabilities, unauthorized access points, and misconfigurations in SMB shares, which can be useful for penetration testing and security auditing.