You are currently viewing Basic SMB Hacking Notes

Basic SMB Hacking Notes

SMB Ports

SMB Port: 139/445

  • Port 139 is the older port which ran over NetBIOS. NetBIOS is a transport layer protocol that allows Windows computers to speak to each other on the same network.
  • Port 445 is the newer port that runs over the TCP/IP Stack. This allows SMB to work over the Internet.

Looking for open SMB ports

  • Access the network and perform a Nmap scan. I used the following:
nmap -A <host>
Where '<host>' enter the IP address/range that you want to scan
Where '-A' = Enable OS detection, version detection, script scanning, and traceroute

Find the content of a share

Additional commands may be required. Included below are the commands that can be used with smbclient.

smbclient -L <host> 
Where '-L' lists the contents of the share
Where '<host>' enter the IP address of the host
└──╼ $smbclient --help
]Usage: smbclient service <password>
  -R, --name-resolve=NAME-RESOLVE-ORDER     Use these name resolution services
  -M, --message=HOST                        Send message
  -I, --ip-address=IP                       Use this IP to connect to
  -E, --stderr                              Write messages to stderr instead
                                            of stdout
  -L, --list=HOST                           Get a list of shares available on
                                            a host
  -m, --max-protocol=LEVEL                  Set the max protocol level
  -T, --tar=<c|x>IXFvgbNan                  Command line tar
  -D, --directory=DIR                       Start from directory
  -c, --command=STRING                      Execute semicolon separated
  -b, --send-buffer=BYTES                   Changes the transmit/send buffer
  -t, --timeout=SECONDS                     Changes the per-operation timeout
  -p, --port=PORT                           Port to connect to
  -g, --grepable                            Produce grepable output
  -q, --quiet                               Suppress help message
  -B, --browse                              Browse SMB servers using DNS
Help options:
  -?, --help                                Show this help message
      --usage                               Display brief usage message
Common samba options:
  -d, --debuglevel=DEBUGLEVEL               Set debug level
  -s, --configfile=CONFIGFILE               Use alternate configuration file
  -l, --log-basename=LOGFILEBASE            Base name for log files
  -V, --version                             Print version
      --option=name=value                   Set smb.conf option from command
Connection options:
  -O, --socket-options=SOCKETOPTIONS        socket options to use
  -n, --netbiosname=NETBIOSNAME             Primary netbios name
  -W, --workgroup=WORKGROUP                 Set the workgroup name
  -i, --scope=SCOPE                         Use this Netbios scope
Authentication options:
  -U, --user=USERNAME                       Set the network username
  -N, --no-pass                             Don't ask for a password
  -k, --kerberos                            Use kerberos (active directory)
  -A, --authentication-file=FILE            Get the credentials from a file
  -S, --signing=on|off|required             Set the client signing state
  -P, --machine-pass                        Use stored machine account password
  -e, --encrypt                             Encrypt SMB transport
  -C, --use-ccache                          Use the winbind ccache for
      --pw-nt-hash                          The supplied password is the NT

Connect to an SMB shell

smbclient //<host>/<share>
Example: smbclient //

Saving a file to your system

When connected to the SMB shell, navigate to the location of interest and extract the file/s of interest.

smb:> cd
smb: \User1\> ls
  .                                   D        0  Thu Jun  3 09:38:03 2021
  ..                                  D        0  Thu Jun  3 09:38:03 2021
  file.txt                            A       32  Mon Mar 29 10:26:57 2021
		5114111 blocks of size 4096. 1751933 blocks available
smb: \User1\> get file.txt
getting file \User1\file.txt of size 32 as file.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

Additional commands can be used. See other commands below.

smb: \User1\> ?
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             


Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply