LabEx
Log InJoin For Free

Enumerate SMB Services in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, we will explore how to enumerate SMB (Server Message Block) services using Nmap. SMB is a network file sharing protocol, and identifying available shares can reveal valuable information about a target system. We will use the smb-enum-shares Nmap Scripting Engine (NSE) script to achieve this.

The lab involves running Nmap commands to enumerate SMB shares on a target machine, specifying the target IP address (e.g., 192.168.1.1 or 127.0.0.1 for localhost), and interpreting the output to identify available shares, their types, and associated comments. We will also explore adding verbosity, saving results to a file, and comparing the output with a banner scan.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/os_version_detection("OS and Version Detection") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/scripting_basics("Scripting Engine Basics") nmap/NmapGroup -.-> nmap/script_management("Script Categories and Updating") subgraph Lab Skills nmap/save_output -.-> lab-547099{{"Enumerate SMB Services in Nmap"}} nmap/port_scanning -.-> lab-547099{{"Enumerate SMB Services in Nmap"}} nmap/target_specification -.-> lab-547099{{"Enumerate SMB Services in Nmap"}} nmap/verbosity -.-> lab-547099{{"Enumerate SMB Services in Nmap"}} nmap/os_version_detection -.-> lab-547099{{"Enumerate SMB Services in Nmap"}} nmap/service_detection -.-> lab-547099{{"Enumerate SMB Services in Nmap"}} nmap/scripting_basics -.-> lab-547099{{"Enumerate SMB Services in Nmap"}} nmap/script_management -.-> lab-547099{{"Enumerate SMB Services in Nmap"}} end

Run SMB enum with nmap --script smb-enum-shares 192.168.1.1

In this step, we will use Nmap with the smb-enum-shares script to enumerate SMB shares on a target machine. SMB (Server Message Block) is a network file sharing protocol, and enumerating shares can reveal valuable information about the target system, such as available resources and potential vulnerabilities.

First, let's understand the command we'll be using:

  • nmap: This is the network mapper tool we'll be using.
  • --script smb-enum-shares: This tells Nmap to use the smb-enum-shares NSE (Nmap Scripting Engine) script. This script is specifically designed to enumerate SMB shares.
  • 192.168.1.1: This is the target IP address. Important: You will need to replace this with the actual IP address of the target machine you want to scan. If you don't have a specific target, you can use 127.0.0.1 (localhost) for testing purposes, but keep in mind that this will only scan your own machine.

Now, let's execute the command. Open your Xfce terminal and type the following command, then press Enter:

nmap --script smb-enum-shares 192.168.1.1

Important: Replace 192.168.1.1 with the actual IP address of your target. If you are testing locally, you can use 127.0.0.1.

The output will show you the results of the SMB share enumeration. It might look something like this (the exact output will depend on the target system):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\192.168.1.1\IPC$:
|     type: STYPE_IPC_HIDDEN
|     comment: Remote IPC
|     flags: 0x80000000
|   \\192.168.1.1\ADMIN$:
|     type: STYPE_DISKTREE
|     comment: Remote Admin
|     flags: 0x0
|_  \\192.168.1.1\C$:
|     type: STYPE_DISKTREE
|     comment: Default share
|     flags: 0x0

Nmap done: 1 IP address (1 host up) scanned in 2.54 seconds

This output shows the SMB shares that Nmap was able to discover on the target system. You can see the share names (e.g., IPC$, ADMIN$, C$), their types, comments, and flags. This information can be useful for identifying potential attack vectors or misconfigurations.

Scan port 445 with nmap --script smb-enum-shares -p 445 127.0.0.1

In this step, we will focus on scanning a specific port, 445, which is commonly associated with SMB. By specifying the port, we can narrow down the scan and potentially get results faster. We'll use the same smb-enum-shares script as before, but this time we'll tell Nmap to only scan port 445.

Let's break down the command:

  • nmap: The network mapper tool.
  • --script smb-enum-shares: Specifies the NSE script to use for SMB share enumeration.
  • -p 445: This option tells Nmap to only scan port 445. Without this, Nmap would scan a range of commonly used ports.
  • 127.0.0.1: This is the target IP address, in this case, localhost. This means we are scanning the SMB service running on our own machine.

Now, open your Xfce terminal and execute the following command:

nmap --script smb-enum-shares -p 445 127.0.0.1

The output will show the results of the SMB share enumeration specifically on port 445. It might look similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\127.0.0.1\IPC$:
|     type: STYPE_IPC_HIDDEN
|     comment: Remote IPC
|     flags: 0x80000000
|   \\127.0.0.1\ADMIN$:
|     type: STYPE_DISKTREE
|     comment: Remote Admin
|     flags: 0x0
|_  \\127.0.0.1\C$:
|     type: STYPE_DISKTREE
|     comment: Default share
|     flags: 0x0

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

Notice that the output is similar to the previous step, but this time we specifically targeted port 445. This can be useful when you know that SMB is running on a specific port and you want to avoid scanning other ports unnecessarily.

Add verbosity with nmap -v --script smb-enum-shares 192.168.1.1

In this step, we will add verbosity to our Nmap scan. Verbosity provides more detailed output, which can be helpful for understanding what Nmap is doing and for troubleshooting any issues. The -v option increases the verbosity level.

Let's look at the command:

  • nmap: The network mapper tool.
  • -v: This option increases the verbosity level. Adding more -v options (e.g., -vv) increases the verbosity even further.
  • --script smb-enum-shares: Specifies the NSE script to use for SMB share enumeration.
  • 192.168.1.1: The target IP address. Remember to replace this with the actual IP address of your target.

Now, open your Xfce terminal and execute the following command:

nmap -v --script smb-enum-shares 192.168.1.1

Important: Replace 192.168.1.1 with the actual IP address of your target. If you are testing locally and don't have SMB enabled, you might not see much difference in the output.

The output will be more verbose than the previous scans. You'll see more information about the scan progress, the scripts being run, and any errors that occur. For example, you might see output like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
NSE: Loaded 1 script for scanning.
Initiating Ping Scan at 10:10
Scanning 192.168.1.1 [4 ports]
Completed Ping Scan at 10:10, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:10
Completed Parallel DNS resolution of 1 host. at 10:10, 0.00s elapsed
Initiating Connect Scan at 10:10
Scanning 192.168.1.1 [1000 ports]
Discovered open port 445/tcp on 192.168.1.1
Completed Connect Scan at 10:10, 0.12s elapsed (1000 total ports)
Initiating Service scan at 10:10
Scanning 1 service on 192.168.1.1
Completed Service scan at 10:10, 6.41s elapsed (1 service total)
NSE: Starting runlevel 1 (of 1) scan.
NSE: Running script smb-enum-shares on 192.168.1.1.
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\192.168.1.1\IPC$:
|     type: STYPE_IPC_HIDDEN
|     comment: Remote IPC
|     flags: 0x80000000
|   \\192.168.1.1\ADMIN$:
|     type: STYPE_DISKTREE
|     comment: Remote Admin
|     flags: 0x0
|_  \\192.168.1.1\C$:
|     type: STYPE_DISKTREE
|     comment: Default share
|     flags: 0x0

NSE: Script Post-scanning.
Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds

The verbose output shows the different stages of the Nmap scan, including the ping scan, DNS resolution, connect scan, service scan, and the execution of the smb-enum-shares script. This level of detail can be invaluable for debugging and understanding the scan process.

Save SMB results with nmap --script smb-enum-shares -oN smb.txt 127.0.0.1

In this step, we will learn how to save the results of our Nmap scan to a file. This is useful for later analysis or for sharing the results with others. We'll use the -oN option to save the output in a "normal" format, which is human-readable.

Let's break down the command:

  • nmap: The network mapper tool.
  • --script smb-enum-shares: Specifies the NSE script to use for SMB share enumeration.
  • -oN smb.txt: This option tells Nmap to save the output in normal format to a file named smb.txt. The file will be saved in your current directory, which is ~/project.
  • 127.0.0.1: This is the target IP address, in this case, localhost.

Now, open your Xfce terminal and execute the following command:

nmap --script smb-enum-shares -oN smb.txt 127.0.0.1

After the scan completes, you won't see the output in the terminal. Instead, the results will be saved in a file named smb.txt in your ~/project directory.

To verify that the file was created and contains the scan results, you can use the cat command to display the contents of the file:

cat smb.txt

You should see the Nmap scan results printed to the terminal. The output should be similar to what you saw in the previous steps, but now it's also saved in a file.

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023 as: nmap --script smb-enum-shares -oN smb.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\127.0.0.1\IPC$:
|     type: STYPE_IPC_HIDDEN
|     comment: Remote IPC
|     flags: 0x80000000
|   \\127.0.0.1\ADMIN$:
|     type: STYPE_DISKTREE
|     comment: Remote Admin
|     flags: 0x0
|_  \\127.0.0.1\C$:
|     type: STYPE_DISKTREE
|     comment: Default share
|     flags: 0x0
## Nmap done at Fri Oct 27 10:15:01 2023 -- 1 IP address (1 host up) scanned in 1.23 seconds

You can also use the ls -l command to check the file size and modification date:

ls -l smb.txt

This will show you information about the smb.txt file, including its size, modification date, and permissions.

Review SMB shares in Xfce terminal

In this step, we will review the SMB shares that were identified in the previous steps. We'll use the cat command to view the contents of the smb.txt file, which contains the Nmap scan results. Then, we'll discuss how to interpret the output and identify potential security vulnerabilities.

First, open your Xfce terminal and use the cat command to display the contents of the smb.txt file:

cat smb.txt

The output will show the Nmap scan results, including the identified SMB shares. For example, you might see output like this:

## Nmap 7.80 scan initiated Fri Oct 27 10:20:00 2023 as: nmap --script smb-enum-shares -oN smb.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\127.0.0.1\IPC$:
|     type: STYPE_IPC_HIDDEN
|     comment: Remote IPC
|     flags: 0x80000000
|   \\127.0.0.1\ADMIN$:
|     type: STYPE_DISKTREE
|     comment: Remote Admin
|     flags: 0x0
|_  \\127.0.0.1\C$:
|     type: STYPE_DISKTREE
|     comment: Default share
|     flags: 0x0
## Nmap done at Fri Oct 27 10:20:01 2023 -- 1 IP address (1 host up) scanned in 1.23 seconds

Let's analyze the output:

  • \\127.0.0.1\IPC$: This is the Inter-Process Communication share, which is used for communication between processes on the same machine or across a network. It's typically hidden (STYPE_IPC_HIDDEN) and used for system functions.
  • \\127.0.0.1\ADMIN$: This is the administrative share, which provides access to the Windows system directory. It's typically used by administrators for remote management.
  • \\127.0.0.1\C$: This is the default share for the C drive. It allows administrators to access the entire C drive remotely.

These shares are often present on Windows systems. However, it's important to review their permissions and ensure that they are properly secured. For example, the ADMIN$ and C$ shares should typically only be accessible to administrators. If these shares are accessible to unauthorized users, it could lead to security vulnerabilities.

In the next step, we will compare these results with a banner scan to gather more information about the target system.

In this step, we will perform a banner scan using Nmap and compare the results with the SMB share enumeration results from the previous steps. Banner grabbing allows us to identify the operating system and services running on the target, which can provide valuable information for identifying potential vulnerabilities.

First, let's perform a banner scan on port 445 using Nmap. Open your Xfce terminal and execute the following command:

nmap -p 445 -sV 127.0.0.1

Here's a breakdown of the command:

  • nmap: The network mapper tool.
  • -p 445: Specifies port 445, which is the port used for SMB.
  • -sV: Enables version detection, which attempts to determine the service and version information running on the target port.
  • 127.0.0.1: This is the target IP address, in this case, localhost.

The output of the command will show the service running on port 445 and its version information. For example, you might see output like this:

Starting Nmap 7.80 ( https://nmap.org ) at Fri Oct 27 10:25:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).

PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Windows 10 Pro 19042 microsoft-ds

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

In this example, the banner scan reveals that the target is running Windows 10 Pro 19042. This information can be used to identify potential vulnerabilities specific to this operating system version.

Now, let's compare this information with the SMB share enumeration results from the previous step. In the previous step, we identified the following SMB shares: IPC$, ADMIN$, and C$. We also know that the target is running Windows 10 Pro 19042.

By combining this information, we can start to build a more complete picture of the target system and its potential vulnerabilities. For example, we can research known vulnerabilities in Windows 10 Pro 19042 related to SMB shares and determine if the target system is vulnerable.

This comparison helps us to prioritize our efforts and focus on the most likely attack vectors. For example, if we find a known vulnerability in Windows 10 Pro 19042 that allows unauthorized access to the ADMIN$ share, we can focus our efforts on exploiting this vulnerability.

Summary

In this lab, we explored how to use Nmap with the smb-enum-shares script to enumerate SMB shares on a target machine. We learned that SMB is a network file sharing protocol and that enumerating shares can reveal valuable information about the target system, including available resources and potential vulnerabilities. The basic command nmap --script smb-enum-shares <target_ip> was used to perform the enumeration.

Furthermore, we practiced specifying the target port (445), increasing verbosity with the -v flag, and saving the output to a file using the -oN option. Finally, we reviewed the SMB shares in the Xfce terminal and compared the results with a banner scan, demonstrating different methods for gathering information about SMB services.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner