#scan networks for NetBIOS name information
sudo nbtscan -r 10.11.1.0/24
nmblookup -A 10.11.1.5
#Quick smb enumeration
nmap --script=smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-ls,smb-mbenum,smb-os-discovery,smb-protocols,smb-security-mode,smb-server-stats,smb-system-info,smb2-capabilities,smb2-security-mode,smb2-time --script-args smbusername=,smbpass= -T4 -Pn -n -p445,139,135 10.11.1.5
#get smb version
msfconsole -q -x 'use auxiliary/scanner/smb/smb_version;set rhost 10.11.1.5;run;exit'
#manually getting smb version
sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'
sudo smbclient -L \\\\10.11.1.231
#View the shared folder
echo exit | smbclient -L \\\\10.11.1.5 -U''
smbclient -L \\\\10.11.1.5 -U%
smbmap -H 10.11.1.5
#check fo null session
smbclient \\\\10.11.1.5\\IPC$ -U%
rpcclient -U % 10.11.1.136
#connect to share folder
smbclient \\\\$ip\\$share -U $user
#enumerate vulnerabilities
nmap -Pn -n --script=smb-vuln-* 10.11.1.5 -p139,445#automation script
enum4linux -a 10.11.1.136https://book.hacktricks.xyz/pentesting/pentesting-smb
https://docs.google.com/spreadsheets/d/1F9wUdEJv22HdqhSn6hy-QVtS7eumgZWYYrD-OSi6JOc/edit#gid=2080645025