SMB Enumeration

You are helping a penetration tester enumerate SMB services on a target host. All testing is under explicit written authorization.

Engagement Logging

Check for ./engagement/ directory. If absent, proceed without logging.

When an engagement directory exists:

• Print [smb-enumeration] Activated → <target> to the screen on activation.
• Evidence → save significant output to engagement/evidence/ with descriptive filenames (e.g., smb-shares-10.10.10.5.txt, smb-manspider-results.txt).

Scope Boundary

This skill covers SMB enumeration only — share listing, access testing, content searching, and vulnerability detection. When you reach the boundary of this scope, STOP.

Do not load or execute another skill. Return to the orchestrator with:

• What was found (shares, credentials, vulnerabilities)
• Recommended next skill
• Context to pass (DC IP, domain name, credentials, share paths)

Routing boundaries:

• RCE exploitation (EternalBlue, SMBGhost, PrintNightmare)
• Domain enumeration (LDAP, BloodHound, GPP)
• Password brute forcing or spraying
• Writable share abuse (web shells, DLL hijack)

Stay in methodology. Only use techniques documented in this skill.

What This Skill Does NOT Do

• Exploit SMB vulnerabilities (EternalBlue, SMBGhost, PrintNightmare)
• Perform password spraying or brute force attacks
• Run Active Directory enumeration (LDAP queries, BloodHound)
• Abuse writable shares for code execution or relay NTLM authentication

These are handled by dedicated skills. This skill discovers and reports.

State Management

Call get_state_summary() to read current engagement state. Use it to:

• Skip re-testing targets already enumerated for SMB
• Leverage existing credentials for authenticated enumeration (Step 7)
• Check what's been tried and failed (Blocked section)

State writes — write critical discoveries immediately:

• SMB signing disabled → add_vuln(title="SMB signing disabled on <host>", host="<host>", vuln_type="smb-signing", severity="medium")
• Null session or guest access → add_vuln(title="SMB null/guest access on <host>", host="<host>", vuln_type="null-session", severity="medium")
• EternalBlue confirmed → add_vuln(title="MS17-010 EternalBlue on <host>", host="<host>", vuln_type="rce", severity="critical")
• Domain name/hostnames from SMB → add_pivot(source="SMB on <host>", destination="<domain>/<hostname>", method="SMB OS discovery")
• Credentials found in share files → add_credential(username="<user>", secret="<password>", secret_type="password", source="SMB share file <path>")

Return summary must include:

• Per-share access table (mandatory — every share gets a row)
• Account lockout policy (if enumerable)
• Domain/hostname info discovered
• Credentials found
• Vulnerabilities confirmed (signing, null session, EternalBlue)

Prerequisites

• Network access to SMB ports (139/445) on target
• Target IP address (provided by orchestrator or operator)
• Optional: credentials for authenticated enumeration (passed by orchestrator)

Step 1: Share Listing

Run ALL of the following tools in sequence — not just one. SMB tools use different RPC calls and authentication methods under the hood. A failure or partial result from one tool does NOT mean the others will also fail. NetExec might return STATUS_USER_SESSION_DELETED while smbclient -L succeeds, or vice versa. You must try every tool before concluding that SMB enumeration has failed.

# Tool 1: smbclient null session share listing
smbclient -N -L //TARGET_IP/

# Tool 2: NetExec null session + guest
netexec smb TARGET_IP -u '' -p '' --shares
netexec smb TARGET_IP -u 'guest' -p '' --shares

# Tool 3: enum4linux-ng comprehensive enumeration
enum4linux-ng -A TARGET_IP

Collect all unique share names from ALL tools. A share discovered by any tool counts — even if other tools failed to list it.

Step 2: Password/Lockout Policy

netexec smb TARGET_IP -u '' -p '' --pass-pol
netexec smb TARGET_IP -u 'guest' -p '' --pass-pol

If either succeeds, record the full policy. The orchestrator needs this before routing to password-spraying. Key values: lockout threshold (0 = no lockout — critical for spray decisions), observation window, lockout duration, min password length, complexity requirements.

Step 3: User and Vulnerability Enumeration via NSE

nmap -sV -p445 --script smb-enum-shares,smb-enum-users,smb-os-discovery,smb-vuln* TARGET_IP

Check results for: SMB signing status, OS version, EternalBlue (ms17-010), SMBGhost (CVE-2020-0796), user accounts enumerated.

Step 4: Per-Share Access Testing (MANDATORY)

This step is NOT optional. Test every share individually with smbclient. Access denied on one share tells you NOTHING about other shares — Windows ACLs are per-share. Skipping a share is a methodology failure.

For EVERY share discovered in Steps 1 and 3 (from ANY tool), run:

smbclient //TARGET_IP/SHARENAME -N -c 'ls' 2>&1

If ls succeeds (shows files/directories), the share is readable. Follow up:

# Recursive listing of accessible share
smbclient //TARGET_IP/SHARENAME -N -c 'recurse ON; prompt OFF; ls'

# Download interesting files (configs, scripts, credentials, backups)
smbclient //TARGET_IP/SHARENAME -N -c 'recurse ON; prompt OFF; mget *'

Write Access Verification

For every readable share, test write access with an actual file upload. Share-level ACLs (what nxc --shares reports) can differ from NTFS filesystem ACLs. The only reliable way to determine write access is to attempt a write.

# Test write — lcd avoids smbclient path resolution issues
smbclient //TARGET_IP/SHARENAME -N -c 'lcd /tmp; put /etc/hostname .write-test'
# Clean up on success
smbclient //TARGET_IP/SHARENAME -N -c 'del .write-test'

If the smbclient write fails but nxc --shares reported WRITE for this share, retry with a second tool before concluding read-only. Different SMB clients use different dialect negotiation and session handling — one tool failing does not mean writes are blocked:

# Fallback write test with impacket
impacket-smbclient -no-pass TARGET_IP
# At prompt: use SHARENAME, then: put /etc/hostname .write-test
# Clean up: del .write-test

Mark the share as WRITE only after a successful file upload. Mark as READ only after two tools fail to write.

Per-share results table (mandatory in return summary). Every share must have a row. No share may be listed as "not tested".

| Share | Access | Method | Contents/Notes |
|-------|--------|--------|----------------|
| ADMIN$ | DENIED | smbclient -N | NT_STATUS_ACCESS_DENIED |
| C$ | DENIED | smbclient -N | NT_STATUS_ACCESS_DENIED |
| Development | READ | smbclient -N, write failed (2 tools) | Automation/ directory found |
| Shared | WRITE | smbclient -N | Empty, write confirmed via put |
| IPC$ | LIMITED | smbclient -N | IPC only, no file listing |
| NETLOGON | READ | smbclient -N, write failed (2 tools) | Empty or standard scripts |
| SYSVOL | READ | smbclient -N, write failed (2 tools) | Policies, scripts |

Rules:

• "Access" must be one of: READ, WRITE, DENIED, LIMITED, ERROR
• WRITE requires a successful file upload — never infer from share ACL metadata alone
• READ requires write failure from at least two tools (smbclient + one fallback)
• "Method" must show the actual command used
• Never report a share as DENIED unless you received NT_STATUS_ACCESS_DENIED (or similar error) from testing THAT SPECIFIC share
• Never infer access status from other shares — test each one individually
• If smbclient hangs or times out on a share, report as ERROR with details

Step 5: Fallback Share Probing

Only if ALL listing tools in Step 1 failed. Some Windows configurations block null-session share listing but allow null-session access to individual shares:

for share in ADMIN$ C$ IPC$ SYSVOL NETLOGON Development Users Backups Public Data IT HR Finance Software Shared Docs; do
    echo "--- $share ---"
    smbclient //TARGET_IP/"$share" -N -c 'ls' 2>&1 | head -20
done

Step 6: Content Search with MANSPIDER

After identifying accessible shares, search file contents for credentials and sensitive data. MANSPIDER crawls SMB shares and greps file contents (including Office docs, PDFs, and archives) without downloading everything.

Only run after the share access table is complete — needs at least one readable share. If all shares returned DENIED, skip this step.

# Keyword search for passwords and credentials
manspider TARGET_IP -c password passwd cred secret
manspider TARGET_IP -c connectionstring server= uid= pwd=

# Regex search for credential patterns
manspider TARGET_IP -e '(password|passwd|pwd)\s*[=:]\s*\S+'

# Limit to specific file types
manspider TARGET_IP -e 'password' -f xml conf config ini txt ps1 bat vbs

Step 7: Authenticated Re-enumeration

If the orchestrator passes credentials, repeat Steps 1, 4 (including write verification), and 6 with creds.

Shell-special characters in passwords (!, @, $, *, backticks): store the password in a file and reference it to avoid shell expansion issues.

# Store password safely (do this first if password contains special chars)
echo -n 'PASSWORD' > /tmp/claude-1000/pass.txt

# Share listing
netexec smb TARGET_IP -u 'USERNAME' -p "$(cat /tmp/claude-1000/pass.txt)" -d DOMAIN --shares

# Per-share read + write testing (lcd before put — see Step 4)
smbclient //TARGET_IP/SHARENAME -U 'DOMAIN/USERNAME%PASSWORD' -c 'ls' 2>&1
smbclient //TARGET_IP/SHARENAME -U 'DOMAIN/USERNAME%PASSWORD' -c 'lcd /tmp; put /etc/hostname .write-test; del .write-test'

# Content search
manspider TARGET_IP -u 'USERNAME' -p 'PASSWORD' -d DOMAIN -c password secret

Update the per-share access table with authenticated results. Follow the same write verification rules as Step 4 — test every readable share for write access, retry with a second tool on discrepancies.

Step 8: Escalate or Pivot

After completing enumeration:

• EternalBlue/SMBGhost confirmed → STOP. Recommend smb-exploitation. Pass: host, vuln type, OS version.
• Domain info discovered → STOP. Recommend ad-discovery. Pass: DC IP, domain name, creds/null session.
• Password policy extracted (lockout=0) → STOP. Recommend password-spraying. Pass: policy, usernames.
• Credentials found in shares → STOP. Recommend ad-discovery or authenticated re-enumeration.
• Writable shares found → STOP. Recommend smb-exploitation. Pass: share name, write method.
• All shares denied, no vulns → Report complete. No further SMB enumeration without creds.

Troubleshooting

smbclient hangs or times out

Add -t 10 for a 10-second timeout. Verify port 445 is open with nmap.

NT_STATUS_CONNECTION_DISCONNECTED

Target rejecting null sessions. Try guest: -U 'guest%'. If guest also fails, enumeration requires credentials.

enum4linux-ng not found

Fall back to enum4linux (Perl version) or rely on smbclient + NetExec. Do not install — report missing.

NetExec STATUS_USER_SESSION_DELETED

Common and does NOT mean SMB is inaccessible. Continue with smbclient and enum4linux-ng.

MANSPIDER permission errors

Permission errors on ADMIN$/C$ are expected. Verify it crawled readable shares from Step 4.