How to Scan for SMB vulnerabilities using Nmap

  • 1.3K
  • 4
  •  
  •  
  •  
  •  
  •  
  •  
    1.3K
    Shares

Hi there my fellow hackers, we are back with another tutorial. Today we will see how we can use a Nmap script to scan a target host for SMB vulnerabilities. Let’s have a quick glance on what SMB means.

SMB basically stands for Server Message Block. When it comes to reputation among security vulnerabilities, SMB is an average level vulnerability. It’s versions like SMB1 are used in Windows 2000 and Windows XP. They allowed null sessions, which are used to retrieve a great deal of sensitive information from the target machine. Later versions of the SMB are also responsible for many vulnerabilities which allowed anything from stealing user credentials to remote code execution. For all these above reasons, every penetration tester must check for SMB vulnerabilities.

scan-everything

Here in this tutorial we are using NMap scripts to scan a target host for the SMB vulnerabilities. The NSE(Nmap Scripting Engine) is one of the Nmap’s most flexible and powerful features. The Nmap 7 contains more than 170 new scripts. Let’s go into this tutorial for SMB vulnerabilities with Nmap: The According to the frontpage of the Samba.org, Samba is described as follows:

Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

Scanning from SMB vulnerabilities

The following command executes Nmap with a script:

nmap –script [scriptname]-p [port][host]

If nmap returns an error try to add –script-args=unsafe=1 so we get the status for SMB vulnerabilities:

nmap –script [scriptname]–script-args=unsafe=1 -p [port][host]

To have Nmap scan a target host for SMB vulnerabilities, use the following command:

nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 [host]

The following command enumerates the SMB shares on a target host:

nmap –script smb-enum-shares.nse –script-args=unsafe=1 -p445 [host]

There is also a script for OS discovery which uses SMB:

nmap –script smb-os-discovery.nse –script-args=unsafe=1 -p445  [host]

Use the following command to enumerate the users on a target host:

nmap –script smb-enum-users.nse –script-args=unsafe=1 -p445 [host]

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply