Introduction
SMB (Server Message Block) is a widely used file-sharing protocol in Windows and Linux environments. While it enables seamless file and printer sharing, misconfigured SMB services can expose sensitive data, leading to serious security risks. That’s why SMB enumeration is a critical step in penetration testing, allowing ethical hackers to gather valuable system, user, and file-sharing information.
In this guide, we’ll explore SMB enumeration techniques, the best tools to use, and practical commands to help you extract sensitive details from SMB services. For demonstration purposes, we are using Network Services room from TryHackMe – https://tryhackme.com/room/networkservices
What is smb enumeration?
SMB operates on TCP ports 139 and 445 and is widely used for file sharing, network browsing, and inter-process communication. When misconfigured, it can allow unauthorized access to shared files and sensitive system information.
By performing SMB enumeration, we can extract:
– Available shared folders
– Usernames and groups
– System information (OS version, domain details)
– Permissions and misconfigurations
Best Tools for SMB Enumeration
There are several tools that make SMB enumeration easy:
Nmap – Scans SMB services and detects vulnerabilities
Enum4Linux – Gathers SMB and NetBIOS info (great for Linux users)
SMBclient – Access SMB shares directly from the command line
Metasploit – Automates SMB-related pentesting
Scanning SMB with Nmap
One of the fastest ways to gather SMB-related info is with Nmap. The following command checks for SMB services, shared folders, and users:
smb-os-discovery → Identifies OS and SMB version
smb-enum-shares → Lists accessible shared folders
smb-enum-users → Extracts usernames from SMB
nmap -p 139,445 --script=smb-os-discovery,smb-enum-shares,smb-enum-users 10.10.X.X
Tests for known SMB vulnerabilities like EternalBlue (MS17-010)
nmap 10.10.X.X --script smb-vuln* -p 139,445 -Pn
Extracting SMB Information with Enum4Linux
Enum4Linux is a great tool for extracting usernames, shared resources, and domain info from SMB. This gathers: Available shared folders, Guest access permissions, User & group details, Domain information
enum4linux -a 10.10.X.X
Tip: Always try default credentials in penetration testing!
Checking for Open SMB Shares with SMBClient
Sometimes, misconfigured shares allow anonymous access. You can check for open shares using smbclient:
smbclient -L 10.10.X.X -U anonymous
Lists all publicly accessible SMB shares
Accessing a SMB share
smbclient //10.10.X.X/profiles -U anonymous
Tip: If you find sensitive files, document the findings for your pentest report.
Advanced SMB Enumeration Using Metasploit
Metasploit automates SMB enumeration and helps identify security flaws.
Extracting SMB Version
use auxiliary/scanner/smb/smb_version
set RHOSTS 10.10.X.X
run
Displays SMB version and OS details
Enumerating SMB Shares
use auxiliary/scanner/smb/smb_enumshares
set RHOSTS 10.10.X.X
run
Lists available shared folders
Extracting Usernames
use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 10.10.X.X
run
Retrieves usernames from the SMB service
Conclusion
SMB enumeration is a crucial part of penetration testing. Using tools like Nmap, Enum4Linux, SMBClient, and Metasploit, we can extract valuable system and user information. If misconfigurations exist, SMB can be exploited for privilege escalation or remote code execution.
If you found this guide helpful, share it with your colleagues and leave a comment below! Check out our collaboration page if you’d like to contribute or suggest improvements, Thank you!
