Home > Network Pentesting

SMB Enumeration

SMB enumeration is one of the most valuable steps in network pentesting, especially in Windows environments. SMB (Server Message Block) allows file sharing, printer sharing, authentication, and inter-system communication. Misconfigured SMB services often expose sensitive information such as shared folders, usernames, domain structure, policies, and even credentials. Effective SMB enumeration helps pentesters map internal networks, identify privilege escalation paths, and uncover weak security practices.

Understanding SMB

SMB operates mainly over ports 445 and 139. Modern systems use SMBv2 or SMBv3, while older systems may still run SMBv1. SMBv1 is especially dangerous due to vulnerabilities like EternalBlue. Enumerating SMB helps determine versions, shares, access permissions, domain information, and system roles.

Checking SMB Connectivity

Before deep enumeration, pentesters confirm SMB accessibility.

Basic Port Scan

nmap -p445,139 10.10.10.5

SMB Version Check

nmap --script smb-protocols -p445 10.10.10.5

This identifies which SMB versions the target supports.

Enumerating SMB Shares

SMB shares often contain sensitive files, misconfigured permissions, or internal documentation.

Listing Available Shares (No Authentication)

smbclient -L //10.10.10.5/ -N

This attempts to list shares anonymously.

Listing Shares with Credentials

smbclient -L //10.10.10.5/ -U username

Once shares are visible, pentesters inspect them for misconfigurations.

Accessing a Share

smbclient //10.10.10.5/public -N

Pentesters review:

  • File contents

  • Directory structures

  • Hidden or old backups

  • Configuration files

  • Credential files

Misconfigured shares often expose critical data.

Enumerating Users and Domain Information

SMB allows enumeration of Windows users, groups, domain policies, and hostnames.

Using Nmap Scripts

nmap --script smb-enum-users -p445 10.10.10.5

This identifies local or domain users.

Enumerating Groups

nmap --script smb-enum-groups -p445 10.10.10.5

Enumerating Shares

nmap --script smb-enum-shares -p445 10.10.10.5

Enumerating Domains

nmap --script smb-enum-domains -p445 10.10.10.5

These scripts reveal usernames, security groups, and domain structure.

Enumerating SMB Sessions and Policies

SMB reveals system-level policies and active sessions.

Enumerating Sessions

nmap --script smb-enum-sessions -p445 10.10.10.5

Enumerating Security Policies

nmap --script smb-security-mode -p445 10.10.10.5

Detecting Vulnerable Configurations

nmap --script smb-vuln* -p445 10.10.10.5

This checks for common SMB vulnerabilities like:

  • EternalBlue

  • MS17-010

  • Netlogon exploit (Zerologon)

Enumerating SMB OS and Host Details

SMB responses often reveal OS information.

OS Fingerprinting via SMB

nmap --script smb-os-discovery -p445 10.10.10.5

This reveals:

  • OS version

  • Workgroup

  • Hostname

  • Domain role (workstation, server, domain controller)

Enumerating with CrackMapExec (Optional in Scope)

CrackMapExec is a powerful tool for large environments.

Listing Shares

cme smb 10.10.10.0/24 --shares

Enumerating Users

cme smb 10.10.10.0/24 --users

OS and Domain Info

cme smb 10.10.10.0/24

This helps identify misconfigurations quickly.

Identifying SMB Misconfigurations

Pentesters look for:

  • Anonymous access enabled

  • World-readable or writable shares

  • Exposed backups

  • Stale credentials

  • Outdated SMB versions

  • Weak NTLM authentication

  • Excessively permissive ACLs

  • Domain controller exposure

These issues often lead to credential capture, lateral movement, or full domain compromise.

Why SMB Enumeration Matters

SMB enumeration provides deep insight into Windows infrastructure. It reveals users, shares, domain info, policies, and potential vulnerabilities. SMB is one of the richest sources of internal data during a pentest, and misconfigurations often expose critical attack paths.

Intel Dump

  • SMB runs on ports 445 and 139

  • Enumeration includes shares, users, groups, domains, OS info

  • Tools include smbclient, Nmap scripts, and CrackMapExec

  • SMB often reveals misconfigurations like anonymous access and weak permissions

  • Enumerating SMB helps map Windows environments and prepare for exploitation

HOME LEARN COMMUNITY DASHBOARD