SMB

The process of identifying and gathering information about SMB (Server Message Block) services running on a network is known as enumeration. This data can be used to identify security flaws, misconfig

Nmap

$ nmap -p139,445 --script smb-enum-shares <target IP>

This command will scan the target IP for open SMB ports (139 and 445) and run the smb-enum-shares script to gather information about shared directories.

smbclient

$ smbclient -L <target IP>

This command will list the shared directories on the target IP.

rpcclient

$ rpcclient -U "" <target IP>

This command will connect to the target IP using the null session and list users, shares, and other information about the SMB service.

enum4linux

enum4linux -a <target IP>

This command will run a comprehensive enumeration of the SMB service on the target IP and gather information about shares, users, and groups.

smbmap

smbmap -H <target IP>

This command will scan the target IP for open SMB shares and provide information about the share names, permissions, and any writable shares.

Metasploit

Metasploit modules for SMB enumeration

smb_enumusers:

use auxiliary/scanner/smb/smb_enumusers
set RHOSTS [IP address of target]
run

smb_enumshares:

use auxiliary/scanner/smb/smb_enumshares
set RHOSTS [IP address of target]
run

smb_lookupsid

use auxiliary/scanner/smb/smb_lookupsid
set RHOSTS [IP address of target]
set USERNAME [username to look up SID for]
run

smb_version:

use auxiliary/scanner/smb/smb_version
set RHOSTS [IP address of target]
run