1. NetBIOS / SMB
    1. enumerate wuth nmap
    2. enumerate with nbtscan
    3. enumerate with smbclient
    4. enumerate with smbmap
    5. enumerate with enum4linux
    6. enumerate with nmblookup
    7. enumerate with rpcclient
  2. Resources and More


NetBIOS Services:

  • NetBIOS Name Service (TCP/UDP Port 137)
  • NetBIOS Datagram Service (TCP/UDP Port 138)
  • NetBIOS Session Service (TCP/UDP Port 139)


  • Newer SMB uses TCP Port 445 (without the need for the NetBIOS layer)

enumerate wuth nmap

# against TCP ports 139,445
nmap -vv --reason -Pn -sV -p139,445 --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" <target>

# same but against UDP 
nmap -vv --reason -Pn -sU -sV -p137 --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" <target>

enumerate with nbtscan

nbtscan -rvh <target>
  • Example:
    root@kali220:~# nbtscan -rvh 
    Doing NBT name scan for addresses from 
    NetBIOS Name Table for Host 
    Incomplete packet, 227 bytes long. 
    Name             Service          Type 
    DOMAIN       Workstation Service 
    DOMAIN       Messenger Service 
    DOMAIN       File Server Service 
    __MSBROWSE__  Master Browser 
    WORKGROUP        Domain Name 
    WORKGROUP        Master Browser 
    WORKGROUP        Browser Service Elections 
    Adapter address: 00:00:00:00:00:00 

enumerate with smbclient

# attempt null session, show shares
smbclient -L\\ -N -I <target> 

# same thing
echo exit | smbclient -L <target>

# to access a share
smbclient \\\\<target>\\share ""
  • Example:
    root@kali220:~# smbclient -L\\ -N -I 
          Sharename       Type      Comment 
          ---------       ----      ------- 
          print$          Disk      Printer Drivers 
          Files           Disk      Domain Samba Server Files /etc/Files 
          general         Disk      Domain Samba Server Files 
          Development     Disk      Domain Samba Server Files 
          PC$            IPC       IPC Service (Domain server (Samba, Ubuntu)) 
    Reconnecting with SMB1 for workgroup listing. 
          Server               Comment 
          ---------            ------- 
          Workgroup            Master 
          ---------            ------- 
          WORKGROUP            DOMAIN 

enumerate with smbmap

# show share permissions, attempt null session
# keep in mind <port> can be 139 or 445
smbmap -H <target> -P <port>
smbmap -u null -p "" <target> -P <port>

# list share contents
smbmap -H <target> -p <port> -R
smbmap -u null -p "" <target> -P <port> -R

# attempt command execution
smbmap -u null -p "" <target> -P <port> -R -x "whoami"
  • Example:
    # list share permissions
    root@kali220:~# smbmap -u null -p "" -H -P 445 
    [+] Finding open SMB ports.... 
    [+] Guest SMB session established on 
    [+] IP:        Name: 
          Disk                                                    Permissions 
          ----                                                    ----------- 
          print$                                                  NO ACCESS 
          Files                                                   NO ACCESS 
          general                                                 READ ONLY 
          Development                                             READ, WRITE 
          IPC$                                                    NO ACCESS 

enumerate with enum4linux

enum4linux -a -M -l -d <target> 

enumerate with nmblookup

# query with nmblookup (part of the samba suite of tools)
nmblookup -A $target

enumerate with rpcclient

# attempt a null session with rpcclient
rpcclient -U "" -P $target

# rpcclient password spraying:  
for u in 'cat users.txt'; do echo -n "[*] user: $u" && rpcclient -U "$u%Password" -c "getusername;quit" $target ; done

Resources and More