# SMB
**SMB (Server Message Block)** is a network file sharing protocol that allows systems to:
* Share **files**, **printers**, and **other resources**
* Access remote directories as if they were local
* Communicate between Windows, Linux, and macOS systems on a LAN
SMB is extremely common in corporate environments — especially in **Windows networks** — where it’s used to share documents, access drives, and centralize file storage.
## SMB vs Samba – A Bit of History
* **SMB** is the **protocol**, originally designed by **IBM in the 1980s**, later adopted and heavily used by Microsoft.
* **Samba** is a **free Linux/Unix implementation of the SMB protocol**, allowing non-Windows systems to participate in SMB networks.
* When you install **Samba** on Linux, you are essentially creating an SMB server compatible with Windows clients.
## SMB Default Ports
| Protocol | Port | Description |
| -------- | ---- | --------------------------------- |
| SMB | 445 | Direct SMB over TCP |
| NetBIOS | 137 | NetBIOS name service |
| NetBIOS | 138 | NetBIOS datagram service |
| NetBIOS | 139 | SMB over NetBIOS (legacy support) |
In modern networks, port **445** is the main port used for SMB traffic.
## What Are SMB Shares?
An **SMB Share** is a **directory made accessible over the network** using the SMB protocol.
For example:
* A server might have a share called `\\company-server\finance`
* Employees can map that share to a local drive or browse it via File Explorer or terminal.
There are two key types of shares:
* **Public (Guest/Anonymous) Shares** – no login required, accessible to everyone
* **Restricted Shares** – require authentication, often tied to domain or system users
## Our SMB Lab Setup (/etc/samba/smb.conf)
We created three shares using Samba on Linux:
```editorconfig
[public]
path = /srv/smb/public
browseable = yes
read only = no
guest ok = yes
[finance]
path = /srv/smb/finance
browseable = yes
read only = yes
guest ok = yes
[devops]
path = /srv/smb/devops
browseable = yes
read only = yes
guest ok = yes
```
And filled them with files like:
* `ftp_creds.txt` – Contains a fake FTP credentials
* `db_config.env` – Contains a fake database password
* `ssh_creds.txt` – Contains fake SSH login details
### Misconfigurations in This Setup
These settings are **deliberately insecure** to help you learn how attackers abuse SMB:
| Misconfiguration | Why It's Dangerous |
| ----------------------------------- | ----------------------------------------------------- |
| `guest ok = yes` | Anyone can access shares without authentication |
| `read only = no` | In `public`, attackers can **upload or modify files** |
| Sensitive files in public shares | Attackers can harvest credentials or secrets |
| Overly permissive permissions (777) | Allows anyone to read/write/delete |
In real-world systems, these misconfigs could lead to:
* Credential theft
* Initial access to internal systems
* Malware upload and lateral movement
***
## Enumerate SMB
When you're facing an SMB service during a penetration test, you’ll use a set of standard tools to **enumerate shares**, **check access**, and **extract useful data**.
### Nmap Scan
❯ nmap enumlikeapro.nca -T4 -sCV -p 139,445
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Host script results:
| smb2-time:
| date: 2025-05-23T17:02:46
|_ start_date: N/A
|_nbstat: NetBIOS name: ENUMLIKEAPRO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Let’s walk through **three essential SMB tools** every beginner should learn:
### `smbclient` – Command-Line SMB Client
`smbclient` is a built-in Linux tool that acts like a command-line FTP client, but for SMB. It allows you to connect to remote SMB shares and interact with them directly — listing files, downloading data, or uploading content (if the share allows it).
This is your go-to tool for **manually exploring** a share — just like browsing folders in File Explorer, but from the terminal.
Lets list all shares in `enumlikeapro.nca` using smbclient:
❯ smbclient -L //enumlikeapro.nca -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
public Disk
finance Disk
devops Disk
IPC$ IPC IPC Service (enumlikeapro server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
* `-L` lists available shares
* `-N` skips password prompt (anonymous)
Once we have listed all available shares, we can try to connect to any one of them like:
❯ smbclient //enumlikeapro.nca/public -N
Try "help" to get a list of possible commands.
smb: \>
* Once connected, you'll be in an interactive shell.
Now the commands here are similar to what we learned in ftp section but here is a recap:
```bash
smb: \> ls # List files in the share
smb: \> cd File # Change Directory
smb: \> get file.txt # Download a file
smb: \> put evil.sh # Upload a file (if allowed)
smb: \> exit # Quit
```
If you find credentials during an engagement, come back and try connecting **with a username**:
❯ smbclient //enumlikeapro.nca/devops -U gita
Password for [WORKGROUP\gita]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri May 23 22:24:14 2025
.. D 0 Fri May 23 22:24:10 2025
ssh_creds.txt N 36 Fri May 23 22:24:14 2025
11758760 blocks of size 1024. 5225908 blocks available
We can also pass the password for `gita` from command line like so:
❯ smbclient //enumlikeapro.nca/devops -U gita%password
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri May 23 22:24:14 2025
.. D 0 Fri May 23 22:24:10 2025
ssh_creds.txt N 36 Fri May 23 22:24:14 2025
11758760 blocks of size 1024. 5225908 blocks available
### `smbmap`: Automated Share Scanner & Permission Checker
While `smbclient` lets you interact with one share at a time, `smbmap` scans **all shares** on the SMB server and tells you what level of access you have on each.
`smbmap` helps you **quickly identify which shares are readable, writable, or require authentication**. It's a perfect recon tool.
Lets run the tool and check available shares:
❯ smbmap -H enumlikeapro.nca
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.10.163:445 Name: enumlikeapro.nca Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
public READ, WRITE
finance READ ONLY
devops READ ONLY
IPC$ NO ACCESS IPC Service (enumlikeapro server (Samba, Ubuntu))
This tells you that `public` allows file uploads, while the other two are read-only.
If above didn't work we can pass credentials to `smbmap`, for that you can look help page of smbmap.
### `enum4linux`: SMB Reconnaissance All-in-One
`enum4linux` is a powerful recon tool for enumerating SMB and NetBIOS information — especially useful against Windows systems or Samba servers that mimic Windows behavior.
This tool pulls **detailed system information** like:
* List of users and groups
* Share names and permissions
* OS details and domain information
* Password policies (sometimes)
Let me run the tool with `-a` flag meaning that we want to try all tests.
Expand me for enum4linux output
❯ enum4linux -a enumlikeapro.nca
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 23 22:44:00 2025
=========================================( Target Information )=========================================
Target ........... enumlikeapro.nca
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on enumlikeapro.nca )==========================
[+] Got domain/workgroup name: WORKGROUP
==============================( Nbtstat Information for enumlikeapro.nca )==============================
Looking up status of 192.168.10.163
ENUMLIKEAPRO <00> - B <ACTIVE> Workstation Service
ENUMLIKEAPRO <03> - B <ACTIVE> Messenger Service
ENUMLIKEAPRO <20> - B <ACTIVE> File Server Service
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=================================( Session Check on enumlikeapro.nca )=================================
[+] Server enumlikeapro.nca allows sessions using username '', password ''
==============================( Getting domain SID for enumlikeapro.nca )==============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=================================( OS information on enumlikeapro.nca )=================================
[E] Can't get OS info with smbclient
[+] Got OS info for enumlikeapro.nca from srvinfo:
ENUMLIKEAPRO Wk Sv PrQ Unx NT SNT enumlikeapro server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=====================================( Users on enumlikeapro.nca )=====================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
===============================( Share Enumeration on enumlikeapro.nca )===============================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
public Disk
finance Disk
devops Disk
IPC$ IPC IPC Service (enumlikeapro server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on enumlikeapro.nca
//enumlikeapro.nca/print$ Mapping: DENIED Listing: N/A Writing: N/A
//enumlikeapro.nca/public Mapping: OK Listing: OK Writing: N/A
//enumlikeapro.nca/finance Mapping: OK Listing: OK Writing: N/A
//enumlikeapro.nca/devops Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//enumlikeapro.nca/IPC$ Mapping: N/A Listing: N/A Writing: N/A
==========================( Password Policy Information for enumlikeapro.nca )==========================
[+] Attaching to enumlikeapro.nca using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] ENUMLIKEAPRO
[+] Builtin
[+] Password Info for Domain: ENUMLIKEAPRO
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=====================================( Groups on enumlikeapro.nca )=====================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
================( Users on enumlikeapro.nca via RID cycling (RIDS: 500-550,1000-1050) )================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-208997594-2400103124-596975992 and logon username '', password ''
S-1-5-21-208997594-2400103124-596975992-501 ENUMLIKEAPRO\nobody (Local User)
S-1-5-21-208997594-2400103124-596975992-513 ENUMLIKEAPRO\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\enumlikeapro (Local User)
S-1-22-1-1001 Unix User\sita (Local User)
S-1-22-1-1002 Unix User\ram (Local User)
S-1-22-1-1003 Unix User\admin (Local User)
S-1-22-1-1004 Unix User\dev (Local User)
S-1-22-1-1005 Unix User\gita (Local User)
=============================( Getting printer info for enumlikeapro.nca )=============================
No printers returned.
enum4linux complete on Fri May 23 22:44:29 2025
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://handbook.ncateam.xyz/reconnaissance/services-enumeration/smb.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.