November 1, 2019 · Basic Pen-Testing

4.3 : Active information gathering techniques - SMB enum (Part III)

SMB Enumeration


SMB has a broken security track record, here is the system versions table:

SMB is on port 139 & 445

basic scan

basic scan

nmap -v -p 139,445 -oG smb.txt

advanced scan by nbtscan

nbtscan -r

Advanced scan

null session
null session by default in SMB is unauthenticated session.

info to obtain

auto null session scanning tool

enum4linux -a

| OS information on |
[+] Got OS info for from smbclient: Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
user:[admin] rid:[0x3ef]
user:[Administrator] rid:[0x1f4]
user:[alice] rid:[0x3f0]
[+] Password Info for Domain: SRV2
[+] Minimum password length: None
[+] Password history length: None
[+] Maximum password age: 42 days 22 hours 47 minutes [+] Password Complexity Flags: 000000

nmap vulnerability scanning tool

nmap -v -p 139, 445 --script=smb*
# or you can specify script from ls -la /usr/share/nmap/scripts/smb*