Enumerating SMB Shares

Server Message Block (SMB) is a network file sharing protocol that allows applications and users to access files, printers, and other resources on a network. During security assessments and penetration tests, enumerating SMB shares is a key step in discovering sensitive data, misconfigurations, and potential privilege escalation paths.

This article walks through common techniques and tools for SMB share enumeration with practical code examples.

Why Enumerate SMB Shares?

SMB share enumeration can reveal:

  • Publicly accessible directories
  • Misconfigured permissions
  • Sensitive files (backups, credentials, configs)
  • Opportunities for lateral movement

Poorly secured SMB shares are a common finding in internal penetration tests.

Tools for SMB Share Enumeration

1. smbclient (Linux)

smbclient is part of the Samba suite and allows you to connect to SMB shares.

# List shares on a host
smbclient -L //10.10.10.5 -N
 
# Connect to a specific share
smbclient //10.10.10.5/public -U guest
  • -L lists available shares.
  • -N specifies no password authentication.

2. rpcclient

rpcclient provides low-level access to RPC functions over SMB.

# Null session authentication
rpcclient -U "" 10.10.10.5
 
# Once inside, enumerate shares
rpcclient $> enumshares

3. enum4linux-ng

A modern fork of the classic enum4linux.

# Enumerate SMB shares
enum4linux-ng -S 10.10.10.5

This produces detailed output including share permissions.

4. PowerShell (Windows)

On Windows, you can enumerate shares with PowerShell:

# List shares on a remote machine
Get-SmbShare -CimSession 10.10.10.5

Or using net view:

net view \\10.10.10.5

5. Nmap NSE Scripts

Nmap has built-in scripts for SMB enumeration.

# Scan SMB shares
nmap --script smb-enum-shares -p445 10.10.10.5
 
# Scan users
nmap --script smb-enum-users -p445 10.10.10.5

Automating SMB Enumeration with Python

For automation, Python’s impacket library is very useful:

from impacket.smbconnection import SMBConnection
 
target = "10.10.10.5"
 
# Null session
conn = SMBConnection(target, target)
conn.login("", "")
 
shares = conn.listShares()
for share in shares:
    print(f"Share: {share['shi1_netname']}")

This script attempts a null session and lists available shares.

Defense Perspective

To mitigate risks:

  • Disable SMBv1.
  • Enforce strong authentication.
  • Restrict anonymous logins.
  • Audit share permissions.
  • Monitor SMB traffic for anomalies.

Conclusion

SMB share enumeration is an essential step in penetration testing and red teaming. Using a mix of tools (smbclient, rpcclient, enum4linux-ng, PowerShell, Nmap, Impacket), you can uncover misconfigurations and sensitive data exposure. On the defense side, enforcing least privilege and proper monitoring are crucial.

Related Cybersecurity Guides and Tutorials: