> For the complete documentation index, see [llms.txt](https://hexisanoob.gitbook.io/hexisanoob/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hexisanoob.gitbook.io/hexisanoob/enum-and-initial-compromise/network-pentest/quick-smb-cheatsheet.md). # Quick SMB cheatsheet ## [**Port 139**](#port-139) **NetBIOS** stands for *Network Basic Input Output System*. It is a software protocol that allows applications, PCs, and Desktops on a local area network (LAN) to communicate with network hardware and to transmit data across the network. Software applications that run on a NetBIOS network locate and identify each other via their NetBIOS names. A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Two applications start a NetBIOS session when one (the client) sends a command to “call” another client (the server) over **TCP Port 139**. (extracted from [here](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)) ## [Port 445](#port-445) While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. **SMB** stands for ‘**Server Message Blocks**’. Server Message Block in modern language is also known as **Common Internet File System**. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network. For instance, on Windows, SMB can run directly over TCP/IP without the need for NetBIOS over TCP/IP. This will use, as you point out, port 445. On other systems, you’ll find services and applications using port 139. This means that SMB is running with NetBIOS over TCP/IP\*\*.\*\* (extracted from [here](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)) ## [**Basic Enumeration**](#basic-enumeration) *This would be updated as I keep learning new things* `nbtscan 192.168.1.17` `nmap -p139,445 --script=smb-enum-shares ` `nmap -p139,445 -sC -Pn ` `smbmap -H ` `smbmap -H -u -p (Would show other shares that are private only)` `smbclient -L ` `smbclient -L % (Would show other shares that are private only)`\ `Eg: smbclient -L harsh%1234` `smbclient -L -N \\\\ (-N = --no-pass)` `smbclient \\\\\\` `smbclient \\\\\\ -U bob (COnnect to share as user bob)` `net view \\ /All (Windows only)` `use auxiliary/scanner/smb/smb_enumshares (metasploit)` `use auxiliary/scanner/smb/smb_lookupsid (metasploit- finds other users present using existing login:pass)` ## [Vulnerability Scanning Script](#vulnerability-script) `nmap --script smb-vuln* ` ## [Listing files in a directory](#listing-files-in-a-directory) `smbmap -H -r` ## [Login](#login) To login to SMB share: 1\) Anonymous share login: `smbclient --no-pass ///` `2`) Share login: `smbclient /// -U %` `smbclient -U --pw-nt-hash // (enables to pass the hash for login password (pass the hash attack))` `3`) Null Session: `smbclient -U '%' -N \\\\\` 4\) Mount Shares: `mount -t cifs /// /mnt/share` `mount -t cifs -o "username=user,password=password" /// /mnt/share` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hexisanoob.gitbook.io/hexisanoob/enum-and-initial-compromise/network-pentest/quick-smb-cheatsheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.