Scanning for SMB vulnerabilities using Nmap

1

In this tutorial we will be using a Nmap script to scan a target host for SMB vulnerabilities. SMB stands for Server Message Block and does not have a great reputation when it comes the security and vulnerabilities. SMB1 was used in Windows 2000 and Windows XP which allowed null sessions which could be used to retrieve a great deal of information about the target machine. Later versions of SMB were also subject to many vulnerabilities which allowed anything from remote code execution to stealing user credentials. For this reason every penetration test should be checking for SMB vulnerabilities.

We will be using NMap scripts to scan a target host for SMB vulnerabilities. The Nmap Scripting Engine (NSE) is on of Nmap’s most powerful and flexible features. With the latest version, nmap 7.0 the scripting engine has been greatly expanded, Nmap 7 contains more than 170 new scripts. Let’s continue this tutorial with scanning for SMB vulnerabilities with Nmap: The frontpage on Samba.org describes Samba as:

Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

Scanning from SMB vulnerabilities

The following command executes Nmap with a script:

nmap –script [scriptname]-p [port][host]

If nmap returns an error try to add –script-args=unsafe=1 so we get the status for SMB vulnerabilities:

nmap –script [scriptname]–script-args=unsafe=1 -p [port][host]

To have Nmap scan a target host for SMB vulnerabilities, use the following command:

nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 [host]

The following command enumerates the SMB shares on a target host:

nmap –script smb-enum-shares.nse –script-args=unsafe=1 -p445 [host]

There is also a script for OS discovery which uses SMB:

nmap –script smb-os-discovery.nse –script-args=unsafe=1 -p445  [host]

Use the following command to enumerate the users on a target host:

nmap –script smb-enum-users.nse –script-args=unsafe=1 -p445 [host]

SMB Vulnerabilities Video Tutorial

Thanks for watching and please subscribe to my YouTube channel :)

Related Nmap Hacking Tutorials

Open Port Scanning and OS Detection with Nmap in Kali Linux

Scanning a network for live hosts with Nmap

How to enumerate webserver directories with Nmap

Scanning for SMB vulnerabilities using Nmap

Heartbleed SSL bug Scanning using Nmap on Kali Linux

Share.

1 Comment

  1. While the script, smb-enum-shares.nse works to enumerate open shares in a NON-NTLMv2 environment, it does not enumerate a list of open shares where NTLMv2 is the policy in a Windows domain. Is there a work around for this?

Leave A Reply