Scanning for SMB vulnerabilities using Nmap


In this tutorial we will be using a Nmap script to scan a target host for SMB vulnerabilities. SMB stands for Server Message Block and does not have a great reputation when it comes the security and vulnerabilities. SMB1 was used in Windows 2000 and Windows XP which allowed null sessions which could be used to retrieve a great deal of information about the target machine. Later versions of SMB were also subject to many vulnerabilities which allowed anything from remote code execution to stealing user credentials. For this reason every penetration test should be checking for SMB vulnerabilities.

We will be using NMap scripts to scan a target host for SMB vulnerabilities. The Nmap Scripting Engine (NSE) is on of Nmap’s most powerful and flexible features. With the latest version, nmap 7.0 the scripting engine has been greatly expanded, Nmap 7 contains more than 170 new scripts. Let’s continue this tutorial with scanning for SMB vulnerabilities with Nmap: The frontpage on describes Samba as:

Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

Scanning from SMB vulnerabilities

The following command executes Nmap with a script:

nmap –script [scriptname]-p [port][host]

If nmap returns an error try to add –script-args=unsafe=1 so we get the status for SMB vulnerabilities:

nmap –script [scriptname]–script-args=unsafe=1 -p [port][host]

To have Nmap scan a target host for SMB vulnerabilities, use the following command:

nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 [host]

The following command enumerates the SMB shares on a target host:

nmap –script smb-enum-shares.nse –script-args=unsafe=1 -p445 [host]

There is also a script for OS discovery which uses SMB:

nmap –script smb-os-discovery.nse –script-args=unsafe=1 -p445  [host]

Use the following command to enumerate the users on a target host:

nmap –script smb-enum-users.nse –script-args=unsafe=1 -p445 [host]

Scanning a host for MS17-010 Eternalblue with Nmap

You can also use Nmap to scan a target, or a range of targets, for MS17-010. Before we can run this scan we need to download the “smb-vuln-ms12-010.nse” script first from the link below:

Store the file in the Nmap scripts directory and then launch the scan as shown below:

nmap -p 445 -script=smb-vuln-ms17-010.nse [host]

The following command targets a range of hosts in your network:

nmap -p 445 -script=smb-vuln-ms17-010.nse [host-range]

SMB Vulnerabilities Video Tutorial

Thanks for watching and please subscribe to my YouTube channel :)

Related Nmap Hacking Tutorials

Open Port Scanning and OS Detection with Nmap in Kali Linux

Scanning a network for live hosts with Nmap

How to enumerate webserver directories with Nmap

Scanning for SMB vulnerabilities using Nmap

Heartbleed SSL bug Scanning using Nmap on Kali Linux

Virtual Hacking Labs - Penetration testing lab


Check out these SMB related hacking tutorials too:

Exploiting Eternalblue for shell with Empire

Eternalromance Getting shell on Windows 2003 Server



  1. While the script, smb-enum-shares.nse works to enumerate open shares in a NON-NTLMv2 environment, it does not enumerate a list of open shares where NTLMv2 is the policy in a Windows domain. Is there a work around for this?

  2. Barry Dragoon on

    It’s been almost 4 months since I posted, and no replies. Is there no way to work around NTLMv2 policy in Windows?

    • Have you tried setting the smbtype script argument to v2?

      From the documentation:

      The type of SMB authentication to use. These are the possible options:
      •v1: Sends LMv1 and NTLMv1.
      •LMv1: Sends LMv1 only.
      •NTLMv1: Sends NTLMv1 only (default).
      •v2: Sends LMv2 and NTLMv2.
      •LMv2: Sends LMv2 only.
      •NTLMv2: Doesn’t exist; the protocol doesn’t support NTLMv2 alone. The default, NTLMv1, is a pretty decent compromise between security and compatibility. If you are paranoid, you might want to use v2 or lmv2 for this. (Actually, if you’re paranoid, you should be avoiding this protocol altogether!). If you’re using an extremely old system, you might need to set this to v1 or lm, which are less secure but more compatible.

Leave A Reply