# SMB SMB service can be used to enumerate users or important files that may be left unattended in one of the shares. It is important to be able to enumerate a SMB service properly to gather as much information as possible. There are multiple protocols within SMB with SMB 2.0 the most widely used and SMB 3.0 being the latest entrant. CIFS is an early dialect of SMB and is not used anymore due to its complexity in maintenance and the security issues that come with it. ### NMAP Scripts Nmap scripts can be used for enumerating various information from an SMB service and also to scan them for vulnerabilities. A simple enumeration of the shares can be done using the following command, ``` nmap --script /usr/share/nmap/scripts/smb-enum-shares.nse 10.11.1.231 ``` In the Kali operating system various scripts for enumerating and vulnerability scanning can be found under the path "/usr/share/nmap/scripts/". ### Enum4linux Enum4linux is another SMB enumeration tool that can be used for gathering information about the service. All encompassing scan can be done using the following command, ``` enum4linux -a 192.168.1.10 ``` The "-a" flag will run all the tests with the SMB service and list all information collected. U - This flag can be used to list the users on the server S - This flag will list all the shares on the server P - This flag displays the password policy o - This flag gives information about the Operating System l - This flag will provide limited information about the ldap service on the system i - This flag will display an printer info that may be available n - This flag lists the netbios information on the server ### SMBClient SMBClient can be used for interacting with the shares on the SMB server. ``` smbclient -L //192.168.1.10/ smbclient -L //192.168.1.10/ -U '' -N #for no username and null password smbclient --no-pass -L 192.168.1.10 smbclient -L //192.168.1.10/ -U 'domain\user' -p 'password' ``` The following command can be used to access the available folders and files, ``` smbclient //192.168.1.10/home ``` Once within the command prompt of SMBclient, files can be downloaded, uploaded, permissions changed, etc. The following command is to download the file, ``` get ``` {% hint style="info" %} While accessing Windows shares backward slash "\\" have to be used and when using a Linux system to access the "\\" has to be escaped with another "\\". So the command may look like, smbclient \\\\\\\192.168.1.10\\\home {% endhint %} ### SMBMAP Another tool for accessing a SMB share, ``` smbmap -H 192.168.1.10 smbmap -H 192.168.1.10 -u '' -p '' smbmap -H 192.168.1.10 -s share_name //Access a share ``` ### Crackmapexec Crackmapexec is a enumeration tool for various services and it can be used on an SMB share to get list of shared folders and validate whether a username & password is valid. ``` crackmapexec smb 192.168.1.10 -u '' -p '' --shares //The same can be tried with names & passwords crackmapexec smb 192.168.1.10 -u '' -p '' --share share_name crackmapexec smb 192.168.1.10 -u '' -p '' --shares --pass-pol ``` ### Mount SMB Share Besides browsing through the files on the server, the share can also be mounted on the local machine and you can browse through the files like that of a NFS. The following command can be used to mount the share on your local machine, ``` sudo mount -t cifs //10.1.1.68/IPC /mount/smb -o guest sudo mount -t cifs //10.1.1.68/IPC /mount/smb -o username='test' ``` t - This option is used to indicate the type of filesystem.Supported filesystems are usually ext2, ext3, ext4, xfs, btrfs, vfat, sysfs, proc, nfs and cifs(Most commonly found). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.particle42.com/services/smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.