A Little Guide to SMB Enumeration
Enumeration is a very essential phase of Penetration testing, because when a pentester established an active connection with the victim, then he tries to retrieve as much as possible information of victim’s machine, which could be useful to exploit further.
In this article, we had explored SMB enumeration using Kali Linux inbuilt command-line tools only.
Table of Content
- Nmblookup
- nbtscan
- SMBMap
- Smbclient
- Rpcclient
- Nmap
- Enum4linux
nmblookup
nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.
1 |
nmblookup -A 192.168.1.103 |
nmblookup is a helpful command for enumerating domain/workstation and MAC address. NetBIOS work with the help of NetBIOS suffixes as a state following information:
For unique names:
00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
21: Remote Access Service client
1B: Domain Master Browser – Primary Domain Controller for a domain
1D: Master Browser
For group names:
00: Workstation Service (workgroup/domain name)
1C: Domain Controllers for a domain
1E: Browser Service Elections
nbtscan
This is a command utility that tries to scan NetBIOS name servers open on a local or remote TCP/IP network and because it is a first step in finding open shares. It is created on the functionality of the Windows standard tool “nbtstat”, and it works on a whole subnet instead of individual IP.
1 |
nbtscan 192.168.1.1/24 |
As you can observe it has dumped almost the same result as above, but the most important fact is that it enumerates the whole subnet.
SMBMap
SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind and is intended to simplify searching for potentially sensitive data across large networks.
1 2 |
smbmap -H 192.168.1.102 smbmap -H 192.168.1.102 -d metasploitable -u msfadmin -p msfadmin |
As you can observe, this tool not only shows share files even show their permission. If you will notice the second command then you will perceive that it has shown permission for user “msfadmin”.
Smbclient
smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the FTP program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.
1 2 |
smbclient -L 192.168.1.102 smbclient //192.168.1.102/tmp |
As you can observe with the help of smbclient we are able to view the shared folder of victim’s machine. Moreover, we can use smbclient for sharing the file in the network. Here you can observe we had login successfully using anonymous login and transferred the user.txt file.
Rpcclient
rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.
We can use rpcclient to open an authenticated SMB session to a target machine by running the below command on our system where we have used a NULL Session, as we have entered a username of “”.
1 2 |
rpcclient -U "" -N 192.168.1.102 enumdomusers |
Further, we had use enumerate user command, and you can see the usernames as well as their RID (the suffix of their SID) in hexadecimal form.
We have to use the queryuser command to catch-all kinds of information related to an individual user based uniquely on the users RID in hex form, here RID: 0x3e8 denotes root user account.
1 |
queryuser 0x3e8 |
Here note that the output result shows the last logon time for the user root, as well as the Password last set Time. Such kind of things is very valuable for penetration testers. And, this all can be achieved without an admin username and password.
Nmap
Following Script attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.
1 |
nmap --script smb-vuln* -p 139,445 192.168.1.103 |
The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error “STATUS_INSUFF_SERVER_RESOURCES” is returned to determine if the target is not patched against ms17-010. Additionally, it checks for known error codes returned by patched systems.
From the given below image you can observe, it found the target machine is vulnerable to ms17-010 due to SMBv1.
Enum4linux
Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net, and nmblookup.
Key features:
- RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
- User listing (When RestrictAnonymous is set to 0 on Windows 2000)
- Listing of group membership information
- Share enumeration
- Detecting if the host is in a workgroup or a domain
- Identifying the remote operating system
- Password policy retrieval
1 |
enum4linux -a 192.168.1.102 |
As you can observe, it has shown target belongs to Workgroup and dump NetBIOS name along with their suffix and much more information.
Also, perform enumerate user along with their RID in hexadecimal form with the help of rpcclient. Hence enum4linux is Swiss-knife when it comes to performing enumeration. But it cannot identify SMB vulnerability like Nmap.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
nice work you helped me alot thanx
cool write up man
Hi, very good article lots of info for me.
I’m running Kali enum4linux against metasploitable and getting
[E] Server doesn’t allow session using username ”, password ”. aborting remainder of tests. nullinux doesn’t work so well either. I’ve been all over google trying to find out why this is. My teacher says enum4linux is funny.. and can’t explain it. enum4linux is used in 3 different lessons and I need it to work. Thank You!
Great article man! Keep it up 👍
enum4linux is great tool if system allows null session or if you already have user and password. In fact, most of the information you can collect comes from rpcclient and smbmap and smbclient. So, the important point is understand the protocols and what you can collect from them.
Thanks a lot sir really very informative.
Hello, Kindly clear this doubt for me.
smbmap -H 192.168.1.102 -d metasploitable -u msfadmin -p msfadmin
This about commad, Did you randomly guessed user ‘msfadmin’ or Is this a default user?
Its default parameter in metasploitable for username and password.
Nice
thanks lol!!!!!!!!!