LabEx
Log InJoin Free

Use an Auxiliary Scanner for SMB Enumeration in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to perform Server Message Block (SMB) enumeration using the Metasploit Framework. SMB is a network protocol used for providing shared access to files, printers, and serial ports between nodes on a network. Enumerating the SMB version is a crucial first step in penetration testing, as it helps identify the specific software and version running on a target, which can then be cross-referenced with known vulnerabilities.

We will use one of Metasploit's auxiliary scanner modules, specifically auxiliary/scanner/smb/smb_version, to scan a target and determine its SMB version. Metasploit is a powerful penetration testing framework that makes it easy to find, exploit, and validate vulnerabilities.

By the end of this lab, you will be familiar with launching Metasploit, searching for modules, configuring module options, and running a scanner to gather information about a target system.

Search for the smb_version auxiliary module

In this step, we will launch the Metasploit Framework console and search for the appropriate module to perform SMB version scanning. The msfconsole is the primary interface for interacting with Metasploit.

First, open a terminal and start the Metasploit console by running the following command. It may take a moment to initialize.

msfconsole -q

The -q flag makes the startup banner quiet. Once loaded, you will see the Metasploit prompt, which looks like msf6 >.

Now, let's find the SMB version scanning module. We can use the search command to look for modules related to smb_version.

search smb_version

You will see a list of matching modules. The one we are interested in is an auxiliary scanner. The output should look similar to this:

Matching Modules
================

   ##  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_version                     normal  No     SMB Version Detection
   1  exploit/windows/smb/smb_doublepulsar_eternalblue      2017-04-14  extraordinary Yes    SMBv1/SMBv2 DoublePulsar/EternalBlue Unauthenticated RCE

From the output, we can see that auxiliary/scanner/smb/smb_version is the module we need.

Select the smb_version module

In this step, you will select the module we found in the previous step. After identifying the correct module, you need to load it into the framework's context using the use command.

In your msfconsole prompt, type the following command to select the smb_version scanner:

use auxiliary/scanner/smb/smb_version

You will notice that your prompt changes to reflect the currently loaded module:

msf6 auxiliary(scanner/smb/smb_version) >

This indicates that the module is now active. To see what options we can configure for this module, use the show options command:

show options

This will display a table of parameters you can set for the module.

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS  1                yes       The number of concurrent threads (max one per host)

Pay close attention to the RHOSTS and THREADS options, as we will configure them in the next steps. The Required column shows that RHOSTS must be set before we can run the scanner.

Set the RHOSTS option to the target IP range

In this step, we will configure the target for our scan. The RHOSTS option (Remote Hosts) tells Metasploit which machine(s) to scan. For this lab, we have installed a Samba server on the local machine to serve as our target. Therefore, we will set RHOSTS to the loopback IP address, 127.0.0.1.

Use the set command to assign a value to RHOSTS:

set RHOSTS 127.0.0.1

Metasploit will confirm the change:

RHOSTS => 127.0.0.1

You can verify that the option has been set correctly by running show options again. You will see that 127.0.0.1 is now listed as the Current Setting for RHOSTS. This is a mandatory step, as the scanner needs to know its target.

Set the THREADS option for faster scanning

In this step, we will adjust the THREADS option. This option controls how many concurrent scanning threads Metasploit will use. Increasing the number of threads can significantly speed up scanning when you are targeting a large number of hosts.

While scanning a single host (127.0.0.1) won't see a performance benefit from multiple threads, it's a good practice to learn how to configure this option. Let's set the number of threads to 50.

Use the set command again to change the THREADS value:

set THREADS 50

Metasploit will confirm the setting:

THREADS => 50

Now the scanner is configured to use up to 50 threads, which would be very effective for scanning a network range like 192.168.1.0/24.

Run the scanner and analyze the output

In this step, with all options configured, we are ready to execute the scanner. The run command (or its alias, exploit) will launch the module against the specified target.

In your msfconsole prompt, execute the scanner:

run

The module will now attempt to connect to port 445 on 127.0.0.1 and determine the SMB version. The output will look similar to the following:

[*] 127.0.0.1:445     - Sending SMBv1 request
[+] 127.0.0.1:445     - Host is running Samba 4.15.13-Ubuntu (Samba 4.15.13-Ubuntu)
[*] 127.0.0.1:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Let's analyze the output:

  • The [+] symbol indicates a successful result.
  • The line Host is running Samba 4.15.13-Ubuntu tells us the exact version of the SMB server software. This information is extremely valuable for a penetration tester, who can now search for vulnerabilities specific to this version.
  • The final lines confirm that the scan is complete.

You have successfully enumerated the SMB version on the target. To exit the Metasploit console, simply type exit.

exit

Summary

In this lab, you have successfully used a Metasploit auxiliary scanner to perform SMB enumeration. You have learned the fundamental workflow for using modules within the Metasploit Framework.

You practiced the following key skills:

  • Launching the Metasploit console (msfconsole).
  • Searching for modules with the search command.
  • Selecting and loading a module with the use command.
  • Viewing and configuring module options like RHOSTS and THREADS with show options and set.
  • Executing a module with the run command.
  • Analyzing the output to gather critical information about a target.

This process of information gathering is a foundational element of any security assessment or penetration test. Congratulations on completing the lab!

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux