Wednesday, December 25, 2024
Google search engine

SMB Enumeration

SMB( Server Message Block protocol) is a client-server communication protocol that is used for sharing access to files, devices, serial ports, and other resources on a network. SMB enumeration is a multipart process in which we enumerate the host or target system for different information like Hostnames, List shares, null sessions, checking for vulnerabilities, etc.

SMB Enumeration Stages: 

SMB Enumeration for Hostname

There are plenty of tools that can enumerate Hostname, here to demonstrate we are using nmblookup and nbtscan. Nmblookup tool makes use of queries of the NetBIOS names and maps them to their related IP addresses in a network.

1. Nmblookup:

$ nmblookup -A <Target IP>
nmblookup

 

Here, you can see that we have enumerated the hostname to CAJA.

2. Nbtscan:

$ nbtscan <target IP>
nbtscan

 

Here, you can see that we have enumerated the hostname to CAJA as the same as the above scan through nmblookup.

SMB Enumeration for Share and Null Session:

In this part, we are going to enumerate shares of the host or target system. We can perform this enumeration with many tools, for this article we are going to use smbmap, smbclient, Nmap, and Metasploit for different ways of performing this share enumeration.

1. Smbmap: Smbmap allows the attacker to enumerate samba share drives on the IP address. It also lists drive permissions and upload/download functionality.

$ smbmap -H <target IP>
smbmap

 

 Also, you can scan for specific user shares using the credentials by using the below command

$ smbmap -H <target IP> -u username -p password
 

2. smbclient: It is a samba-client, and it is useful to test connectivity to windows shares.

$ smbclient -L <target IP>
smbclient

 

3. Nmap:  Nmap provides smb-enum-shares NSE script which can be used to enumerate the shares.

$ nmap --script smb-enum-shares -p 139,445 <Target IP>
nmap

 

 Here is the result as you can see that we didn’t find any SMB share detail.

4. Metasploit:  In Metasploit, we are going to the smb_enumshares module that will enumerate any SMB share if present on the server.

msf6> use auxiliary/scanner/smb/smb_enumshares
msf6> auxiliary(scanner/smb/smb_enumshares) > set rhosts <target IP>
msf6> auxiliary(scanner/smb/smb_enumshares) > set smbuser <username>
msf6> auxiliary(scanner/smb/smb_enumshares) > set smbpass <password>
msf6> auxiliary(scanner/smb/smb_enumshares) > exploit

SMB Enumeration for Vulnerability Scanning:

 In this stage, we use Nmap’s script for scanning for vulnerabilities that could possibly be found on the server. We can use various tools for this stage but here we are going to look at Nmap’s NSE script.

Nmap’s smb-vuln NSE Script:

Nmap has a wide range of scripts for different purposes, here as an example we are going to look at smb-check-vulns. This script can scan targets for a wide range of vulnerabilities, for example:

  • a -3103
  • regsv-dos
  • ms06 -025
$ sudo nmap --script smb-vuln* -p 139,445 <Target IP>

Example:

nmap scan for SMB Vulnerability scanning

 

 Result here we scanned the target for the specific script, and we didn’t find any vulnerability as we can see in the scan.

SMB Enumeration by Enum4Linux:

 Enum4linux is a powerful tool that can detect and fetch data from both windows and Linux OS, also SMB hosts on the network.

$ enum4linux -U <target IP>

Example:

Enum4Linux

 

Result:

As we can see that it has enumerated all the user information that is present on the network.

Whether you’re preparing for your first job interview or aiming to upskill in this ever-evolving tech landscape, lazyroar Courses are your key to success. We provide top-quality content at affordable prices, all geared towards accelerating your growth in a time-bound manner. Join the millions we’ve already empowered, and we’re here to do the same for you. Don’t miss out – check it out now!

RELATED ARTICLES

Most Popular

Recent Comments