20. Nmap SMB Enumeration
The following Nmap commands leverage SMB (Server Message Block) protocol-related NSE scripts for gathering detailed information about a target system's SMB services. SMB is commonly used for file and printer sharing in Windows networks, making it a key focus during penetration testing.
1. SMB OS Discovery¶
Command:¶
Explanation:¶
-p 445:- Specifies port 445, the default port for SMB.
--script smb-os-discovery:- Runs the
smb-os-discoveryscript, which detects the operating system version, computer name, domain, and other SMB-related details.
- Runs the
Purpose:¶
- Identifies the OS and domain information of the target system.
- Useful for determining vulnerabilities based on the operating system.
Example Output:¶
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-os-discovery:
| OS: Windows 10 Pro 1909 (Build 18363)
| Computer name: Target-PC
| NetBIOS domain name: WORKGROUP
| FQDN: Target-PC.local
| System time: 2024-12-22T10:00:00+00:00
2. SMB Share Enumeration¶
Command:¶
Explanation:¶
--script smb-enum-shares:- Runs the
smb-enum-sharesscript to enumerate shared folders on the SMB server.
- Runs the
Purpose:¶
- Lists shared folders and their access permissions.
- Identifies publicly accessible shares or misconfigured permissions.
Example Output:¶
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-enum-shares:
| ADMIN$:
| Type: Disk
| Comment: Remote Admin
| C$:
| Type: Disk
| Comment: Default share
| SharedFolder:
| Type: Disk
| Comment: Public share
| Accessible: READ/WRITE
3. SMB User Enumeration¶
Command:¶
Explanation:¶
--script smb-enum-users:- Runs the
smb-enum-usersscript to enumerate user accounts on the SMB server.
- Runs the
Purpose:¶
- Identifies user accounts present on the target system.
- Useful for discovering usernames for further attacks (e.g., password guessing).
Example Output:¶
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-enum-users:
| User: Administrator
| Full Name: Built-in account for administering the computer/domain
| User: Guest
| Full Name: Built-in account for guest access to the computer/domain
| User: JohnDoe
| Full Name: Regular user
4. SMB Protocol Enumeration¶
Command:¶
Explanation:¶
--script smb-protocols:- Runs the
smb-protocolsscript to enumerate SMB protocol versions supported by the server.
- Runs the
Purpose:¶
- Determines supported SMB protocol versions (e.g., SMBv1, SMBv2, SMBv3).
- Helps identify potential vulnerabilities (e.g., SMBv1 vulnerabilities like EternalBlue).
Example Output:¶
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-protocols:
| SMBv1: Supported
| SMBv2: Supported
| SMBv3: Supported
Comparison of Scripts¶
| Script | Purpose | Output |
|---|---|---|
smb-os-discovery |
Detects OS, hostname, and domain info. | OS version, computer name, NetBIOS name, domain, system time. |
smb-enum-shares |
Enumerates shared folders. | Lists shared directories and access permissions. |
smb-enum-users |
Enumerates user accounts. | Lists usernames and associated details. |
smb-protocols |
Identifies SMB protocol versions supported. | Supported SMB versions (e.g., SMBv1, SMBv2, SMBv3). |
Actionable Insights:¶
-
OS Discovery:
- Determine vulnerabilities relevant to the detected OS version.
- Consider testing for EternalBlue if SMBv1 is enabled.
-
Share Enumeration:
-
Investigate public shares for sensitive information or misconfigurations.
- Test writeable shares for unauthorized access.
-
User Enumeration:
-
Use discovered usernames for brute-force or password-guessing attacks (if authorized).
-
Protocol Enumeration:
-
If SMBv1 is supported, consider it a high-priority vulnerability to exploit or recommend patching.
Ethical Considerations:¶
- Ensure you have permission to scan the target system.
- Avoid accessing or modifying shared files without explicit authorization.
These scripts are powerful tools for SMB enumeration during penetration tests and provide critical insights into the target's configuration and potential weaknesses.