Enumerate Samba Users and Shares
- author:: Nathan Acks
- date:: 2022-07-11
CIFS users and shares can be enumerated by nmap during scanning:
nmap -vv -sT \ --script smb-enum-shares.nse,smb-enum-users.nse \ -p445 $TARGET_IP
NOTE: While smb-enum-shares.nse returns results for UNIX-like systems, I’ve found smb-enum-users.nse to be kind of hit-or-miss.
Metasploit can also enumerate CIFS users using the
Like NMAP, I’ve found this to be a bit unreliable on UNIX-like systems.
You can scan a target machine or network using nbtscan to see what hosts are running Samba.
nbtscan -r $NETWORK_IP/$CIDR_NETMASK
This won’t give you detailed user and share information, but it will at least let you know what machines to target.
For UNIX-like systems running Samba, enum4linux works well.
enum4linux -a $TARGET_IP
As of the time of this writing (November 5, 2021) however, it looks like enum4linux’s normal user enumeration has been broken for quite some time. However, the “RID cycling” method of discovering users still works - so just call enum4linux with either the -r flag (to specifically use RID cycling to enumerate users) or the -a flag (which does a complete enumeration, including RID cycling) rather than the -U flag.
Samba services can be enumerated by smbclient using:
smbclient -L $SERVER_NAME -I $IP_ADDRESS
$SERVER_NAME is the machine’s NetBIOS domain name, which can be found with enum4linux (see above).
Get Windows version information:
smbmap -H $IP_ADDRESS -v