SMB

SMBclient - Connecting to the Share

smbclient -N -L //10.10.10.10

Lists all the available SMB shares on the target machine without providing a password (-N).

smbclient //10.10.10.10/sharename

Connects directly to a specific share (replace sharename with the actual share name you found).

---

Download Files from SMB

get filename

Downloads a single file from the SMB share to your local machine.

mget dog*

Downloads multiple files at once that match the pattern — here, any file starting with “dog.” This is a quick way to grab many files.

---

Nmap Scan

sudo nmap 10.10.10.10 -sV -sC -p139,445

Scans the target for SMB services on ports 139 and 445, running default scripts (-sC) and service version detection (-sV).

---

Enumerating SMB

Rpc Client

rpcclient -U "" 10.10.10.10

Connects to the RPC service over SMB with an empty username. This lets you run RPC commands to gather information about users, groups, and policies.

Authentication & Info

• srvinfo → Show OS version, server version, and platform info. Example: rpcclient $> srvinfo

• enumdomains → List domains the server is part of.

• lsaquery → Get domain and server name.

Shares & Paths

• netshareenumall → Enumerate all shares (lists name, remark, path).

• netsharegetinfo → Details about a specific share (path, remark, permissions).

Users & Groups

• enumdomusers → List all domain users.

• enumdomgroups → List all domain groups.

• enumalsgroups domain → List all aliases in the domain (local groups).

• queryuser → Get detailed info about a user (e.g., last logon, full name).

• querygroup → Get detailed info about a group.

SIDs & RIDs

• lookupsids → Resolve a SID to a name.

• lookuprids → Translate RIDs to names.

• lsaenumsid → Enumerate SIDs on the system.

Password Policies

• getdompwinfo → Get domain password policy (min length, history, etc.).

• querydominfo → Domain info, including password reset and lockout policy.

Other Handy Commands

• lsaenumsid → Enumerate Security Identifiers (SIDs).

• lsaquerytargetinfo → Get target computer info (NetBIOS, DNS, etc.).

• lsaenumtrustdom → Enumerate trusted domains.

Pro Tips

Always start with:

• srvinfo

• enumdomains

• netshareenumall

Then dig deeper into users:

• enumdomusers

• queryuser <RID>

If you find a domain SID:

• lookupsids <SID>

---

Brute forcing users RID’s

for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

This loops through a range of RIDs (Relative Identifiers) to try and enumerate user accounts. It prints usernames and IDs if found.

---

Impacket - Samrdump.py

samrdump.py 10.10.10.10

Uses Impacket’s tool to dump information about users and groups from the SAMR service on the target system.

---

SMBmap

smbmap -H 10.10.10.10

Maps out the accessible shares and permissions. This shows what you can read, write, or access on each share.

---

NXC (CrackMapExec)

crackmapexec smb 10.10.10.10 --shares -u '' -p ''

nxc smb 10.10.10.10 --shares -u '' -p ''

A powerful tool to enumerate SMB shares. The empty username (-u '') and password (-p '') test for null sessions.

---

Enum4Linux-ng - Installation

git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt

Installs Enum4Linux-ng, a modern rework of the classic Enum4Linux tool.

./enum4linux-ng.py 10.10.10.10 -A

Runs all available enumeration modules (-A) against the target SMB host.

---

Documentation

• SMBclient: https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

• Nmap: https://nmap.org/book/man.html

• Rpcclient: https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html

• Impacket: https://github.com/fortra/impacket

• SMBmap: https://github.com/ShawnDEvans/smbmap

• NetExec (CrackMapExec): https://www.netexec.wiki/

• Enum4Linux-ng: https://github.com/cddmp/enum4linux-ng