Listing shares
smbclient:smbclient -L <ip>
Enumerating shares
smbclient:smbclient //<ip>/<sharename>
If username is unknown
smbclient:smbclient //<ip>/<sharename> -U
Scanning network for netbios info
nbtscan:nbtscan -r <ip>/24
More enumeration
smbmap:smbmap -H
Recursively enumerating share by specifying depth
smbmap:smbmap -H -R --depth 5
Mounting a shared folder
mount:mount -t cifs -o username=,password= //<ip>/share /mnt/share
Getting more interesting info
crackmapexec:crackmapexec smb <ip>
Pulling the password policy
crackmapexec:crackmapexec smb <ip> --pass-pol
Getting alot more info
enum4linux:enum4linux -a <ip>
enum4linux – with creds:enum4linux -a [-u "" -p ""] <ip>
enum4linux-ng -A [-u "" -p ""]<ip>
nmap scripts for smb enumeration
nmap:nmap --script "safe or smb-enum-*" -p 445 <ip>
nmap – bruteforce user creds smb:
nmap –script smb-brute -p 445
nmap – check for famous vulns:nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
nmap – check for more vulns:nmap --script smb-vuln* -Pn -p 139,445 {IP}
Check rpc info
rpcclient:rpcclient -U "" -N <ip> #No credsTIP: You can use querydispinfo and enumdomusers to query user information
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash