Note: 139 = Net­BIOS is a ses­sion lay­er pro­to­col and ser­vice and dif­fer­ent from 445 SMB.

Enumeration

Mandatory

If you have no cre­den­tials yet:

1. Enu­mer­ate enum4linux:
   enum4linux -a $target
2. Enu­mer­ate shares:
   smbmap -r -H $target -u Guest
smbmap -r -H $target
nmap --script smb-enum-shares.nse -p445 $target
smbclient --no-pass -L //$target
3. Per­form nbtscan to query valid Net­BIOS names:
   nbtscan -r 10.0.0.0/24
4. Per­form nmap script scan(s): (! Don’t use all of them, see the nmap script post and chosse promis­ing nmap scripts!)
   nmap --script=smb-* -p445 $target

If you have already user credentials:

1. Enu­mer­ate shares:
   smbmap -u L4mpje -p 'bureaulampje' -d WORKGROUP -H $target -R
2. Exe­cute a com­mand (alter­na­tive­ly with pht-winexe, Impack­et tools, see also Win­dows Com­mand exe­cu­tion):
   smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target

On Windows

1. Enu­mer­ate open shares to the tar­get dc01:
   >net view \\dc01 /all

Optional

• Try oth­er pro­grams for enu­mer­a­tion from the SMB blog post.
• Try to spray passwords.
• If you have access with smb­client, try alter­na­tive data streams:
  smb: \C.Smith\HQK Reporting> allinfo "Debug Mode Password.txt"