139/445 - NetBIOS/SMB

NetBIOS/Server Message Block

NetBIOS listens on TCP 139 and several UDP ports. SMB (TCP 445) and NetBIOS are separate protocols; however, modern implementations of SMB often utilize NetBIOS over TCP for backwards compatibility. SMB has a history of vulnerabilities but we are primarily interested in SMB for enumeration of shares to search for credentials, backups and other information that may help us gain a foothold.

We can search for NetBios/SMB hosts using nmap or nbtscan:

nmap -v -p 139,445 
sudo nbtscan -r 

NSE scripts

  • Viewable with ls -l /usr/share/nmap/scripts/smb*

nmap -p 139,445 --script=smb*
nmap --script=smb-enum*
nmap -p 139,445 --script=smb-enum-users
nmap -v -p 139,445 -oG smb.txt –open
nmap --script smb-vuln-*
nmap -p 139,445 --script=smb-os-discovery


crackmapexec smb $ip_range -u '' -p '' (enumerate null shares)
crackmapexec smb $ip_range --pass-pol
crackmapexec smb $ip_range --users
crackmapexec smb $ip_range --groups
crackmapexec smb $ip_range -u user -p 'password' -d domain --shares
crackmapexec smb $ip_address -u user -p 'password' -d domain --shares --spider "C$" --pattern "pass"


smbclient -L \\$ip\\ -U [[domain\\]username]
smbclient -L \\\\$ip\\
smbclient -L \\\\$ip\\$share

*connect to share*
smbclient \\\\$ip\\$share 
smbclient \\\\$ip\\$share -U domain\\username


enum4linux -a -v


showmount -a $targetip (all)
showmount -e $targetip (exports)


mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

Download shares

get log.txt --allows you to download single files
smbget -R smb://ipaddress/sharename


python3 /opt/impacket/examples/smbclient.py username@target-ip
python3 /opt/impacket/examples/smbclient.py 'username'@target-ip
python3 /opt/impacket/examples/smbclient.py ''@target-ip

Eternal Blue

Last updated