cat /etc/samba/smb.conf | grep -v "#\|\;"
smbclient -N -L //10.129.14.128 # List server shares , null session (-N), which is anonymous access without the input of existing users or valid passwords
smbclient //10.129.14.195/someshare
A complete list of all these functions can be found on the man page of the rpcclient.
rpcclient -U "" 10.129.14.128
srvinfo #Server information.
enumdomains #Enumerate all domains that are deployed in the network.
querydominfo #Provides domain, server, and user information of deployed domains.
netshareenumall #Enumerates all available shares.
netsharegetinfo #<share> Provides information about a specific share.
enumdomusers #Enumerates all domain users.
queryuser <RID> #Provides information about a specific user.
querygroup <RID>
Brute Forcing users ID
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
An alternative to this would be a Python script from Impacket called samrdump.py.
Impacket - Samrdump.py
samrdump.py <IP>
Other Tools
SMBMap and CrackMapExec tools are also widely used and helpful for the enumeration of SMB services.
smbmap -H <IP>
smbmap -H <IP> -u user -r --depth 5 # to list all the shares and files
crackmapexec smb <IP> --shares -u '' -p ''
tool worth mentioning is the so-called enum4linux-ng,
This tool automates many of the queries, but not all, and can return a large amount of information.
git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt7
./enum4linux-ng.py <IP> -A
