Enumerate Samba Users and Shares
- author:: Nathan Acks
- date:: 2022-07-11
NMAP
CIFS users and shares can be enumerated by nmap during scanning:
nmap -vv -sT \
--script smb-enum-shares.nse,smb-enum-users.nse \
-p445 $TARGET_IP
NOTE: While smb-enum-shares.nse returns results for UNIX-like systems, I’ve found smb-enum-users.nse to be kind of hit-or-miss.
Metasploit
Metasploit can also enumerate CIFS users using the auxiliary/smb/smb_lookupsid
module.
Like NMAP, I’ve found this to be a bit unreliable on UNIX-like systems.
nbtscan
You can scan a target machine or network using nbtscan to see what hosts are running Samba.
nbtscan -r $NETWORK_IP/$CIDR_NETMASK
This won’t give you detailed user and share information, but it will at least let you know what machines to target.
enum4linux
For UNIX-like systems running Samba, enum4linux works well.
enum4linux -a $TARGET_IP
As of the time of this writing (November 5, 2021) however, it looks like enum4linux’s normal user enumeration has been broken for quite some time. However, the “RID cycling” method of discovering users still works - so just call enum4linux with either the -r flag (to specifically use RID cycling to enumerate users) or the -a flag (which does a complete enumeration, including RID cycling) rather than the -U flag.
smbclient
Samba services can be enumerated by smbclient using:
smbclient -L $SERVER_NAME -I $IP_ADDRESS
Here $SERVER_NAME
is the machine’s NetBIOS domain name, which can be found with enum4linux (see above).
smbmap
Get Windows version information:
smbmap -H $IP_ADDRESS -v