This guide covers methods for enumerating and exploiting SMB (Server Message Block) shares using various tools like nmap, smbmap, and smbclient. SMB is a protocol used for sharing files, printers, and other network services, and misconfigurations in SMB services can often lead to security vulnerabilities.
- nmap - A network scanning tool that can discover SMB services and enumerate shares.
- smbmap - A Python tool to enumerate SMB shares and check permissions.
- smbclient - A command-line client for SMB that can be used for interacting with shares.
- FOFA => protocol="smb" && banner="Wordpress"
- SHODAN => port:445 has_smb:true
- CENSYS => services.smb.port:445
- ZOOM EYE => port:445
- Ensure you have permission to scan and access the target system before using these tools.
- Install the required tools:
nmap: Install withsudo apt install nmap.smbmap: Install withpip install smbmap.smbclient: Install withsudo apt install smbclient.
You can use nmap to scan for open SMB ports (usually port 445) and enumerate SMB shares. Here's the basic command to run a scan on a target:
nmap -p 445 --script smb-enum-shares.nse <target_ip>Explanation of the flags:
-p 445: Scans port 445, the default SMB port.--script smb-enum-shares.nse: Uses thesmb-enum-shares.nsescript to enumerate shares.
nmap -p 445 --script smb-enum-shares.nse 192.168.1.100nmap -p 445 --script smb-vuln* -iL targets.txt -T4 --max-retries 3This will provide you with a list of SMB shares on the target system.
smbmap is a more specialized tool for interacting with SMB shares and checking permissions. To scan for shares on a target, use the following command:
smbmap -H <target_ip> -p 445This will attempt to list the available SMB shares. You can add additional options to test specific shares or check for write permissions.
smbmap -H 192.168.1.100 -p 445cat smb-targets.txt | xargs -I {} smbmap -H {} -p 445smbclient is a command-line tool that allows you to interact with SMB shares directly. To connect to a share, use the following command:
smbclient //target_ip/share_name -U username {{Example = guest,root,admin,user,Administrator@<domain_name>}}If you want to access the share without providing a username (e.g., for anonymous access), you can omit the -U flag:
smbclient //192.168.1.100/shared -U guestOnce connected, you can run commands like ls to list files and get <file> to download files.
smbclient //192.168.1.100/public -U {{Example = guest,root,admin,user,Administrator@<domain_name>}}-
Anonymous Access: If a share allows guest access without authentication, this is a potential security risk. You can test this using
smbclientor check withnmapandsmbmap. -
Read/Write Permissions: Shares that allow write access to anonymous users or non-administrative users can be exploited to upload malicious files or scripts.
-
Unnecessary Shares: Some systems may expose unnecessary or sensitive shares. Always check for shares like
ADMIN$,C$,IPC$, etc.
If you discover a share with write permissions, you can upload a malicious file or script using smbclient. Here’s an example of uploading a file:
smbclient //192.168.1.100/public -U guest
put /path/to/local/file.txtThis will upload file.txt to the public share on the target.
These tools and techniques are useful for discovering SMB shares and identifying potential vulnerabilities due to misconfigurations. Be cautious when testing these methods and ensure that you have authorization to access the systems you are scanning.
If you find this work helpful, you can support me:
Thanks for your support! ❤️