Enumerate Samba Users and Shares

author: Nathan Acks
date: 2022-07-11

NMAP

CIFS users and shares can be enumerated by nmap during scanning:

nmap -vv -sT \
     --script smb-enum-shares.nse,smb-enum-users.nse \
     -p445 $TARGET_IP

NOTE: While smb-enum-shares.nse returns results for UNIX-like systems, I’ve found smb-enum-users.nse to be kind of hit-or-miss.

• Nmap SMB Scripts and SMB Enumeration Step-By-Step Pentesting Guide
• Using “nmap”

Metasploit

Metasploit can also enumerate CIFS users using the auxiliary/smb/smb_lookupsid module.

Like NMAP, I’ve found this to be a bit unreliable on UNIX-like systems.

• Using Metasploit

nbtscan

You can scan a target machine or network using nbtscan to see what hosts are running Samba.

nbtscan -r $NETWORK_IP/$CIDR_NETMASK

This won’t give you detailed user and share information, but it will at least let you know what machines to target.

enum4linux

For UNIX-like systems running Samba, enum4linux works well.

enum4linux -a $TARGET_IP

As of the time of this writing (November 5, 2021) however, it looks like enum4linux’s normal user enumeration has been broken for quite some time. However, the “RID cycling” method of discovering users still works - so just call enum4linux with either the -r flag (to specifically use RID cycling to enumerate users) or the -a flag (which does a complete enumeration, including RID cycling) rather than the -U flag.

• Enumerate SMB with Enum4linux & Smbclient
• Use of uninitialized value $user, what does this mean?

smbclient

Samba services can be enumerated by smbclient using:

smbclient -L $SERVER_NAME -I $IP_ADDRESS

Here $SERVER_NAME is the machine’s NetBIOS domain name, which can be found with enum4linux (see above).

• Working With Samba

smbmap

Get Windows version information:

smbmap -H $IP_ADDRESS -v