Skip to main content

SMB (Server Message Block)

Default Port: 139, 445

SMB (Server Message Block), also known as CIFS (Common Internet File System), is a network protocol that allows for file sharing, network browsing, printing services, and inter-process communication over a network.

The SMB protocol provides you with the ability to access resources from a server.


In order to initiate the process, it's imperative to establish a connection to the Server Message Block (SMB) server.

To list all available shares on the target server, utilize the following command:

smbclient -L //target-ip


For further enumeration, various tools such as enum4linux, smbmap, or the nmap scripting engine can be employed.


enum4linux -a target-ip


smbmap -H target-ip


nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse target-ip

This command executes two scripts to enumerate shares and users from the target server.

Attack Vectors

In this section, we will discuss some prevalent attack vectors commonly encountered when dealing with Server Message Block (SMB).

SMB Null Session

A Null Session refers to an unauthenticated connection to an SMB server, providing the capability to gather significant information. Exploitation typically involves SMB connections over TCP ports 445 and 139.

Command to establish a Null Session connection:

rpcclient -U "" <target-ip>

SMB Signing

SMB signing, if not enabled, can be exploited, potentially allowing an attacker to conduct a man-in-the-middle attack.

To check for SMB Signing status:

nmap --script smb-security-mode.nse -p445 <target-ip>

MS08-067 (Netapi)

This vulnerability permits remote attackers to execute arbitrary code through a crafted RPC request.

Metasploit module for exploitation:

use exploit/windows/smb/ms08_067_netapi

MS17-010 (EternalBlue)

This vulnerability enables remote attackers to execute arbitrary code via a crafted SMBv1 request.

Metasploit module for exploitation:

use exploit/windows/smb/ms17_010_eternalblue


Following successful exploitation, the post-exploitation phase is initiated, involving deeper investigation.

Gaining System Access

Upon successful exploitation, utilizing the Meterpreter shell facilitates gaining system access.


Dumping Hashes

A Metasploit post-module can be employed to dump hashes.

use post/windows/gather/smart_hashdump

Common SMB Commands

smbclientConnect to an SMB/CIFS serversmbclient //server/share
smbgetDownload files from an SMB/CIFS serversmbget smb://server/share/file
smbpasswdChange a user's SMB passwordsmbpasswd -r server -U username
smbstatusDisplay information about SMB connectionssmbstatus
smbtreeList SMB/CIFS shares on a networksmbtree
mount -t cifsMount an SMB/CIFS sharemount -t cifs //server/share /mnt/point
umountUnmount an SMB/CIFS shareumount /mnt/point