Phase 1: Information Gathering

SMB Reconnaissance

Master the art of SMB/CIFS reconnaissance. Learn to identify, enumerate, and analyze SMB services without triggering security alerts.

SMB Reconnaissance Interface
Network Discovery
Identify systems running SMB services across network ranges
Service Enumeration
Extract detailed information about SMB implementations
Share Discovery
Enumerate available shares and access permissions
Network Discovery
The first step in SMB reconnaissance is identifying systems running SMB services

Basic Network Scan

# Scan for SMB services on port 445
nmap -sS -O -p445 192.168.1.0/24

# Fast scan with service detection
nmap -sS -sV -p445 --open 192.168.1.0/24

This command performs a SYN scan (-sS) with OS detection (-O) specifically targeting port 445 (SMB) across the entire subnet. The --open flag shows only systems with open ports.

Advanced Discovery

# Comprehensive SMB discovery
nmap -sU -sS -p U:137,T:139,445 192.168.1.0/24

# NetBIOS name resolution
nbtscan 192.168.1.0/24

This scan checks both UDP port 137 (NetBIOS Name Service) and TCP ports 139/445 (SMB). NetBIOS scanning can reveal computer names and workgroup information.

SMB Service Enumeration
Extract detailed information about SMB implementations and configurations

OS and Version Detection

# SMB OS discovery
nmap --script smb-os-discovery -p445 <target_ip>

# SMB protocol version detection
nmap --script smb-protocols -p445 <target_ip>

# SMB security mode detection
nmap --script smb-security-mode -p445 <target_ip>

These scripts reveal operating system version, computer name, domain information, supported SMB protocol versions, and security configurations.

Comprehensive Enumeration

# enum4linux-ng comprehensive scan
enum4linux-ng -A <target_ip>

# Specific enumeration options
enum4linux-ng -U -S -G -P <target_ip>
# -U: Users, -S: Shares, -G: Groups, -P: Password policy

enum4linux-ng is the next-generation version of the classic enum4linux tool, providing comprehensive SMB enumeration capabilities.

Share Discovery & Analysis
Enumerate SMB shares and analyze access permissions

Share Enumeration

# Nmap share enumeration
nmap --script smb-enum-shares -p445 <target_ip>

# smbclient share listing
smbclient -L //<target_ip> -N
# -N attempts null session authentication

# smbmap for detailed share analysis
smbmap -H <target_ip> -u guest

Permission Analysis

# Check share permissions
smbmap -H <target_ip> -u username -p password

# Recursive directory listing
smbmap -H <target_ip> -u username -p password -R

# Download files from accessible shares
smbmap -H <target_ip> -u username -p password --download 'share\file.txt'
Essential Tools

Nmap

Network discovery and SMB script scanning

Discovery

enum4linux-ng

Comprehensive SMB enumeration

Enumeration

smbclient

SMB client for share access

Access

smbmap

Share enumeration and file operations

Mapping
Next Steps
Additional Resources

MITRE ATT&CK

Framework for understanding adversary tactics

OWASP Testing Guide

Comprehensive security testing methodology

Tenable Solutions

Professional vulnerability management

SMB Penetration Testing Learning Path
Comprehensive SMB security assessment methodology from reconnaissance to post-exploitation
Beginner
SMB Protocol Fundamentals
Master SMB/CIFS protocol architecture, versions, and security mechanisms
SMB protocol security testing
CIFS security assessment
Learn More
Intermediate
SMB Reconnaissance & Enumeration
Learn SMB enumeration techniques, null session testing, and share discovery
SMB enumeration techniques
SMB null session enumeration
Current Page
Intermediate
SMB Vulnerability Analysis
Identify SMB security vulnerabilities and assess enterprise Windows security
SMB vulnerability scanning
SMB security assessment
Learn More
Advanced
SMB Exploitation Techniques
Master EternalBlue, SMBGhost, and advanced SMB attack methodologies
EternalBlue SMB exploit
SMBGhost vulnerability testing
Learn More
Advanced
SMB Post-Exploitation
Learn persistence, lateral movement, and privilege escalation in SMB environments
SMB lateral movement testing
Windows credential harvesting
Learn More
Reference
SMB CVE Database
Research critical SMB vulnerabilities and exploitation techniques
MS17-010 penetration testing
SMB remote code execution
Learn More