SMB & Samba Enumeration
Why SMB Matters
Server Message Block (SMB) is the file and resource‑sharing protocol used heavily in Windows environments and widely supported on Linux through Samba. It governs access to files, shares, printers, and other network resources. Because SMB is often deployed in trusted internal networks, misconfigurations can expose sensitive data to unauthenticated users.
SMB, CIFS, and Samba
Samba implements the CIFS dialect (legacy SMB 1) and supports modern SMB versions as well. Older NetBIOS‑based SMB traffic can use TCP 137/138/139, while modern SMB typically runs on TCP 445 only.
| SMB Version | Supported | Highlights |
|---|---|---|
CIFS |
Windows NT 4.0 | NetBIOS transport |
SMB 1.0 |
Windows 2000 | Direct TCP |
SMB 2.0/2.1 |
Vista/7, Server 2008 | Performance & locking improvements |
SMB 3.x |
Windows 8+ | Encryption, multichannel, integrity |
Samba 3 can join an AD domain; Samba 4 can act as a domain controller. Key daemons include smbd (file services) and nmbd (NetBIOS name services).
Default Configuration (What to Expect)
Samba’s configuration lives in /etc/samba/smb.conf. Global settings apply to all shares unless overridden. Typical defaults include logging, workgroup name, and printer shares.
Common share settings:
| Setting | Meaning |
|---|---|
[share] |
Share name exposed to clients |
path = /path |
Local path exported |
browseable = yes |
Visible in share listings |
guest ok = yes |
Anonymous access allowed |
read only = yes |
Read‑only share |
create mask = 0700 |
File permission mask |
Risky Settings to Watch
Certain options frequently create exposure:
browseable = yes: Makes the share visible to anonymous users.read only = no/writable = yes: Enables write access.guest ok = yes: Allows access without credentials.create mask = 0777/directory mask = 0777: Grants world‑writable permissions.logon script/magic script: Can enable script execution on access.
These are often retained from testing and lead to accidental data exposure.
Enumeration Workflow (Safe)
Start by confirming SMB services and versions:
1
nmap -sV -sC -p 139,445 <target>
Share Listing via SMB Client
Check whether anonymous access is allowed and list available shares:
1
smbclient -N -L // <target>
Connect to a share and explore:
1
smbclient // <target>/<share>
RPC Enumeration
SMB exposes RPC endpoints that can reveal domains, users, and shares:
1
rpcclient -U "" <target>
Useful RPC queries:
| Query | Purpose |
|---|---|
srvinfo |
Server info |
enumdomains |
Enumerate domains |
netshareenumall |
List shares |
enumdomusers |
Enumerate users |
Additional Tools
- SMBMap for quick share permissions
- CrackMapExec for broad SMB inventory
- enum4linux‑ng for automated enumeration
Example:
1
2
3
smbmap -H <target>
crackmapexec smb <target> --shares -u '' -p ''
./enum4linux-ng.py <target> -A
Command Reference
| Command | Description |
|---|---|
smbclient -N -L //<FQDN/IP> |
Null session authentication on SMB. |
smbclient //<FQDN/IP>/<share> |
Connect to a specific SMB share. |
rpcclient -U "" <FQDN/IP> |
Interaction with the target using RPC. |
samrdump.py <FQDN/IP> |
Username enumeration using Impacket scripts. |
smbmap -H <FQDN/IP> |
Enumerating SMB shares. |
crackmapexec smb <FQDN/IP> --shares -u '' -p '' |
Enumerating SMB shares using null session authentication. |
enum4linux-ng.py <FQDN/IP> -A |
SMB enumeration using enum4linux. |
Practical Takeaways
- Anonymous SMB access is a high‑risk finding, especially with write permissions.
- Browsable shares can leak internal structure and sensitive files.
- RPC enumeration can disclose users and domains, enabling password attacks.
- Always document version info, share permissions, and anonymous access.
A concise reference for SMB/Samba behavior, configuration risks, and safe enumeration techniques.