SMB | Windows Domain Enumeration

SAMB / SMB / Windows Domain Enumeration

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Also see, nbtscan cheat sheet (right hand menu).

COMMAND

DESCRIPTION

nbtscan 192.168.1.0/24

Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

enum4linux -a target-ip

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Fingerprint SMB Version

smbclient -L //192.168.1.100

Find open SMB Shares

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24

Enumerate SMB Users

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254
LogoPWK Notes: SMB Enumeration Checklist [Updated]0xdf hacks stuff

Download whole smbshare with one command: smbget -R smb://192.168.206.148/kathy

PreviousHTTP and HTTPSNextNFS

Last updated

Was this helpful?