# 445 tcp - SMB *references:* * * ### SMBCLient ```bash smbclient -L \\192.168.1.5 Enter WORKGROUP\root's password: # Sharename Type Comment # --------- ---- ------- # IPC$ IPC Remote IPC # share Disk # wwwroot Disk # ADMIN$ Disk Remote Admin # C$ Disk Default share # Reconnecting with SMB1 for workgroup listing. #Server Comment # --------- ------- #Workgroup Master # --------- ------- ``` ### NMBLookup ```bash nmblookup -A 192.168.0.5 # Looking up status of [ip] # [hostname] <00> - M # [hostname] <20> - M # WORKGROUP <00> - M # WORKGROUP <1e> - M # <03> - M # INet~Services <1c> - M # IS~[hostname] <00> - M # MAC Address = 00-50-56-XX-XX-XX ``` ### SMBClient ```bash # use smb1 smbclient -L //10.10.10.10 --option='client min protocol=NT1' -U"administrator" # no pass smbclient -L //10.10.10.10 -N ``` ### Nmap Scan ```bash nmap -v -p 139,445 -oG smb.txt 10.11.24.1-100 # smb enum script nmap -p 139,445 --script smb-enum-users # Checks for OS of SMB nmap -v -p 139,445 --script smb-os-discovery 10.11.24.85 #Checks for smb vulnerability nmap -v -p 139,445 --script vuln ``` ### NBTScan `nbtscan -r 10.11.24.0/24` ### RPCClient *Null sessions, In windows NT2000/XP default config for SMB allows for nullsessions to be created. In windows 2003/XP SP2 onwards, this is disabled. Use RPCClient to explore nullsessions.* ```bash Rpcclient -U "" 129.168.1.200 #Server info such as OS version, server type srvinfo #Users information enumdomusers #Show password policy getdompwinfo #Domain info querydomaininfo #find net share netshareenum ``` ### Enum4Linux `enum4linux -v 192.168.1.200` ### SMBMap ```bash smbmap -H 192.168.1.5 [+] Finding open SMB ports.... [+] User SMB session establishd on [ip]... [+] IP: [ip]:445 Name: [ip] Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON NO ACCESS Replication READ ONLY SYSVOL NO ACCESS ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://refabr1k.gitbook.io/oscp/info-gathering/smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.