0) What is SMB?
SMB (Server Message Block), also known as CIFS (Common Internet File System), is a network protocol that allows for file sharing, network browsing, printer access, and inter-process communication between systems. The goal of exploiting SMB is typically to access or modify files and credentials on the network. SMB requires a connection to the server to access and enumerate shared resources.
1) Recon Phase
Search for specific services and versions of SMB on the machine.
nmap -sV -p 445,139 [targetip]
Scans ports 445 and 139 for service version information.
nmap --script smb-os-discovery [targetip]
Gathers OS version and domain/workgroup details.
* If SMBv1 is detected (CVE-2017-0144), it may be vulnerable to EternalBlue.
2) Enumeration Phase
During enumeration, we attempt to discover shared resources, users, and configurations that may lead to exploitation.
# Enumerate SMB shares and users
enum4linux -a [targetip]
Provides details on shares, users, groups, and policies. Look for open shares or weak password policies.
# List available shares
smbclient -L //[targetip] -U ""
Lists available shares anonymously. Useful for quickly spotting exposed directories.
# Check for null session access
smbclient -N -L //[targetip]
Attempts a null session (no authentication). If access is granted, the server may allow unauthorized enumeration.
# Enumerate users with RPC
rpcclient -U "" [targetip]
rpcclient> enumdomusers
Lists domain users via RPC over SMB — helpful for identifying valid accounts for further testing.
Note: RPC (Remote Procedure Call) allows a program to execute functions on a remote system as if local.
3) Exploitation Phase
Once vulnerable configurations or credentials are found, exploitation may be possible.
# Connect to a discovered share without credentials
smbclient //[targetip]/[sharename] -U ""
# Check for EternalBlue vulnerability
msfconsole
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS [targetip]
run
# Brute-force credentials with Hydra
hydra -L users.txt -P passwords.txt smb://[targetip]
If authentication is successful, access shared folders or escalate privileges using misconfigurations.
SMB Info — What to Look For
- Exposed anonymous or guest-accessible shares
- Writable or misconfigured shares allowing uploads
- SYSVOL/NETLOGON domain shares containing scripts or credentials
- Older SMBv1 servers vulnerable to EternalBlue (MS17-010)
- Stored credential files (.ini, .xml, .kdbx, .bak)
Tools Required
sudo apt install enum4linux smbclient hydra nmap metasploit-framework