Windows Recon: SMB Nmap Scripts

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine will be accessible at demo.ine.local.

Objective: Your task is to fingerprint the service using the tools available on the Kali machine and run Nmap scripts to enumerate the Windows target machine's SMB service.

1. Identify SMB Protocol Dialects

2. Find SMB security level information

3. Enumerate active sessions, shares, Windows users, domains, services, etc.

The following username and password may be used to access the service:

Username	Password
administrator	smbserver_771

Tools

• Nmap

Writeup

ping -c 1 demo.ine.local

nmap -p- -sSVC --min-rate 7000 -n -Pn demo.ine.local -vvv

Identify SMB Protocol Dialects & Security Level

nmap -p 445 --script smb-protocols demo.ine.local

Enumerate SMB Security Level (Encryption, Signing, etc.)

nmap -p 445 --script smb-security-mode demo.ine.local

Enumerate SMB Shares (Including Hidden Shares)

nmap -p 445 --script smb-enum-shares demo.ine.local

nmap -p 445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local

Enumerate SMB Users & Domain Information

nmap -p 445 --script smb-enum-users --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local

Enumerate Active SMB Sessions

nmap -p 445 --script smb-enum-sessions demo.ine.local

nmap -p 445 --script smb-enum-sessions --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local

Enumerate SMB Services & OS Version

nmap -p 445 --script smb-os-discovery demo.ine.local