CyberCheatsheets

SMB Enumeration Cheat Sheet

Enumerate SMB: shares, null sessions, users, and versions with nmap, netexec, smbclient, and enum4linux on authorized networks.

Network & ProtocolenumerationnetbiossharessmbwindowsUpdated 2026-06-17

Overview

SMB (ports 445/139) is one of the richest enumeration targets on Windows and Samba hosts. You're after shares, readable files, user lists, password policy, and the SMB version (for vulns like EternalBlue). Null/guest sessions often expose more than expected. This sheet chains nmap, netexec, smbclient, and enum4linux-ng.

Authorized testing only. Enumerate only systems you own or have explicit written permission to test. Unauthorized access is illegal.

Discover & version

Detect supported SMB dialects (SMBv1 = legacy/vuln)

nmap -p139,445 --script smb-protocols 10.10.10.5

OS, hostname, domain, and SMB info

nmap -p445 --script smb-os-discovery 10.10.10.5

Sweep a subnet: hostnames, OS, signing, SMBv1

nxc smb 10.10.10.0/24

Null / guest session (unauthenticated)

List shares with a null session

nxc smb 10.10.10.5 -u '' -p '' --shares

Try the guest account

nxc smb 10.10.10.5 -u 'guest' -p '' --shares

List shares with no password

smbclient -L //10.10.10.5 -N

Show shares and your access level (READ/WRITE)

smbmap -H 10.10.10.5 -u null

Enumerate users & policy

All-in-one: users, groups, shares, policy

enum4linux-ng -A 10.10.10.5

Domain users (with creds)

nxc smb 10.10.10.5 -u user -p pass --users

Password policy (lockout threshold before spraying)

nxc smb 10.10.10.5 -u user -p pass --pass-pol

Enumerate users/groups via RID brute force

nxc smb 10.10.10.5 -u user -p pass --rid-brute

Browse & download shares

Connect to a share (null auth)

smbclient //10.10.10.5/share -N

Connect with credentials

smbclient //10.10.10.5/share -U 'corp/user%pass'

Recursively download a whole share

smbget -R smb://10.10.10.5/share -U user

Mount a share locally

mount -t cifs //10.10.10.5/share /mnt -o username=user,password=pass

Spider all shares and index readable files

nxc smb 10.10.10.5 -u user -p pass -M spider_plus

Quick checks

Check for EternalBlue (MS17-010)

nmap -p445 --script smb-vuln-ms17-010 10.10.10.5

Validate creds across a subnet (find admin access)

nxc smb 10.10.10.0/24 -u user -p pass

Look for GPP passwords in SYSVOL

nxc smb 10.10.10.5 -u user -p pass -M gpp_password

Tips

  • Always try a null/guest session first — anonymous share access is common and high-value.
  • smbmap/--shares shows READ vs WRITE — writable shares can lead to code execution or capture attacks.
  • Check the password policy before spraying so you don't lock accounts out.
  • SMBv1 enabled often means EternalBlue (MS17-010) is worth checking on older hosts.

References

Related cheat sheets