SMB Enumeration

What is SMB?

SMB (Server Message Block) is how Windows machines share files, printers, and other resources over a network.

When you map a network drive or browse shared folders in Windows, that’s SMB. It’s the backbone of Windows file sharing.

It’s also one of the most attacked protocols in history. From EternalBlue to null sessions to unauthenticated access, SMB has a long track record of security problems.

How It Works

SMB vs NetBIOS

These are two separate protocols that often run together.

ProtocolPortPurpose
SMBTCP 445File sharing (modern, direct)
NetBIOSTCP 139Session layer for older LAN communication
NetBIOSUDP 137Name resolution
NetBIOSUDP 138Datagram service

Modern SMB works fine without NetBIOS (just port 445). But for backward compatibility, many systems still run both. NetBIOS over TCP (NBT) is the glue that keeps them together.

Always scan both ports 139 and 445. If one is open, the other often is too. Together they give you the full picture.

Finding SMB Hosts

Sweep a subnet for SMB and NetBIOS ports:

nmap -v -p 139,445 -oG smb.txt 10.10.10.0/24

This quickly identifies which hosts in the range have SMB/NetBIOS exposed.

NetBIOS Enumeration with nbtscan

nbtscan queries the NetBIOS name service on UDP port 137. It returns NetBIOS names, which are often very descriptive.

sudo nbtscan -r 10.10.10.0/24

The names tell you a lot about the host’s role:

NetBIOS NameWhat it likely is
DC01Domain controller
FILESERVFile server
SQLPRODProduction SQL server
WEBDEVDevelopment web server

NetBIOS names are chosen by humans. They often reveal the host’s purpose, which helps you prioritize targets.

NSE Scripts for SMB

Nmap has many SMB scripts in /usr/share/nmap/scripts/smb*:

  • smb-os-discovery - OS version, computer name, domain, forest
  • smb-enum-shares - list available shares
  • smb-enum-users - list user accounts
  • smb-enum-groups - list groups
  • smb-enum-sessions - active sessions
  • smb-vuln-* - vulnerability checks

OS Discovery

nmap -v -p 139,445 --script smb-os-discovery 10.10.10.50

This returns:

  • OS version (Windows 10 Pro, Windows Server 2019, etc.)
  • Computer name and NetBIOS name
  • Domain and forest name
  • FQDN (fully qualified domain name)
  • System time

This is richer than basic Nmap OS fingerprinting (-O). It also generates less suspicious traffic because SMB queries blend in with normal Active Directory activity.

Share Enumeration

nmap --script smb-enum-shares 10.10.10.50

Lists all shares, their types, and access permissions. Look for shares that allow anonymous read or guest access.

SMB from Windows

On a Windows machine, use net view:

net view \dc01 /all

The /all flag shows administrative shares (the ones ending with $):

ShareWhat it is
ADMIN$Remote admin (maps to C:\Windows)
C$Default share for the C: drive
IPC$Inter-Process Communication (used for null sessions)
NETLOGONLogon scripts
SYSVOLGroup Policy files

IPC$ is the gateway for null sessions. If you can connect to IPC$ without credentials, you can often enumerate users, groups, and shares.

NetExec (nxc)

NetExec is the go-to tool for SMB enumeration in modern pentesting. It replaced CrackMapExec and does everything in one tool.

Check if SMB is open

nxc smb 10.10.10.0/24

Sweeps the subnet and returns hostnames, domains, OS versions, and SMB signing status in one shot.

Null session enumeration

nxc smb 10.10.10.50 -u '' -p ''

Try connecting with empty credentials. If it says [+], null sessions are allowed.

List shares

nxc smb 10.10.10.50 -u '' -p '' --shares

Shows all shares and your access level (READ, WRITE, or no access).

Enumerate users

nxc smb 10.10.10.50 -u '' -p '' --users

Returns local user accounts. With valid credentials, also try --groups and --sessions.

With credentials

Once you have a username and password, nxc becomes even more powerful:

nxc smb 10.10.10.50 -u admin -p 'Password123' --shares
nxc smb 10.10.10.50 -u admin -p 'Password123' --users
nxc smb 10.10.10.50 -u admin -p 'Password123' --sessions

nxc is the Swiss Army knife for SMB. One tool for enumeration, credential testing, command execution, and lateral movement. Learn it well.

Null Sessions

A null session is an unauthenticated connection to IPC$. If the server allows it, you can enumerate significant information without any credentials at all.

This was extremely common on Windows 2000 and XP. Modern Windows disables it by default, but misconfigured systems still exist.

Practice Boxes

  • Lame - Classic SMB exploitation on Linux
  • Blue - Windows SMB exploitation with EternalBlue
  • Kenobi - SMB and NFS enumeration leading to initial access
  • Relevant - SMB share enumeration and web exploitation