SMB & RPC Enumeration
Goal
Enumerate AD info via SMB/RPC (users, groups, shares, policies) using null/guest/credentialed sessions.
Dialect / Transport
- Prefer 445/TCP (SMB2/3); use 139/TCP (SMB1/NT1) only for legacy cases.
- Test SMB2/3 on 445:
smbclient -L <ip> -p 445 -m SMB3
- Test SMB1 on 139:
smbclient -L <ip> -p 139 -m NT1
- Enumerate supported dialects:
nmap -p 139,445 --script smb-protocols <target>
Quick Checks
enum4linux-ng -A -u '' -p '' <target>
enum4linux-ng
| Action |
Command |
| Full enumeration (anonymous) |
enum4linux-ng -A -u '' -p '' <target> |
| Full enumeration (authenticated) |
enum4linux-ng -A -u <user> -p '<password>' <target> |
| RID cycling (anonymous) |
enum4linux-ng -R <target> |
| RID cycling (authenticated) |
enum4linux-ng -R -u <user> -p '<password>' <target> |
| Enumerate users |
enum4linux-ng -U -u <user> -p '<password>' <target> |
| Enumerate groups |
enum4linux-ng -G -u <user> -p '<password>' <target> |
| Enumerate shares |
enum4linux-ng -S -u <user> -p '<password>' <target> |
| Show password policy |
enum4linux-ng -P -u <user> -p '<password>' <target> |
nxc
| Action |
Command |
| Authenticated session |
nxc smb <target> -u <user> -p '<password>' |
| Null/guest attempt |
nxc smb <target> -u '' -p '' |
| List shares (all) |
nxc smb <target> -u <user> -p '<password>' --shares |
| Domain password policy |
nxc smb <target> -u <user> -p '<password>' --pass-pol |
| Enumerate domain users |
nxc smb <target> -u <user> -p '<password>' --users |
| RID brute-force users |
nxc smb <target> -u <user> -p '<password>' --rid-brute |
| Enumerate local groups |
nxc smb <target> -u <user> -p '<password>' --local-group |
smbclient
| Action |
Command |
| List shares (anonymous) |
smbclient -L <ip> -N |
| List shares (with creds) |
smbclient -L <ip> -U '<user>%<password>' |
| Use Kerberos ticket |
smbclient -k //<ip>/<share> |
rpcclient
| Action |
Command |
| Connect (authenticated) |
rpcclient -U <user> <ip> |
| Connect (null session) |
rpcclient -U '' -N <ip> |
| Enumerate domain users |
enumdomusers |
| Display user info (paged) |
querydispinfo |
| Lookup SID by account name |
lookupnames <username> |
| Lookup account name by SID |
lookupsids <sid> |
| Enumerate groups (Domain/Builtin) |
enumalsgroups [Domain|Builtin] |
| List members of alias/group (by RID) |
queryaliasmem [Domain|Builtin] <rid> |
| List groups for a user (by RID) |
queryusergroups <rid> |
| Query group details (by RID) |
querygroup <rid> |
| Enumerate printers |
enumprinters |
| Enumerate domains |
enumdomains |
| Get domain SID |
lsaquery |
| Get domain info |
querydominfo |
| Enumerate trusted domains |
dsenumdomtrusts |
impacket-lookupsid
| Action |
Command |
| Enumerate users/groups via LSARPC (auth) |
impacket-lookupsid <domain>/<user>:<pass>@<host> |
| Null/guest attempt |
impacket-lookupsid <host> -no-pass |
| Force NetBIOS/139 (if 445 closed) |
impacket-lookupsid <NBName> -target-ip <ip> --port 139 -no-pass |