What Is SMB Enumeration?
SMB enumeration is a network reconnaissance technique used to find shared resources, user accounts, and security settings on systems running the Server Message Block protocol.
Quick Fix Summary: Run nmap --script smb-enum-* -p 139,445 <target> to scan for SMB shares. If you get access, map shares with net use \\server\share /user:domain\user on Windows or smbclient //server/share -U user on Linux/macOS. Disable SMBv1 through Windows Features or run Set-SmbClientConfiguration -RequireSecuritySignature $true in PowerShell.
What’s happening with SMB right now?
SMB runs over TCP ports 139 and 445, with port 445 being the default since Windows 2000.
SMB uses two ports: 139 (NetBIOS over TCP/IP) and 445 (direct SMB over TCP). Modern Windows systems default to port 445, though older gear still clings to 139. By 2026, SMB 3.1.1 is the current standard, encrypting everything with AES-128-GCM on Windows 11 and Server 2022. The problem? Too many networks still limp along on SMBv1 because someone forgot to update the firmware or Group Policy. That leaves them wide open to attacks like EternalBlue. Enumeration tools poke these ports to reveal share names, user rights, and OS details without ever logging in.
How do I perform SMB enumeration step by step?
Start by making sure you have permission to scan; unauthorized scans can land you in hot water with US-CERT.
Before you touch anything, confirm you’ve got the right to scan. Unauthorized scans can violate US-CERT rules, so double-check your paperwork first.
-
Find SMB services: Fire up Nmap with SMB scripts to spot open ports and service versions.
nmap --script smb-enum-shares,smb-enum-users,smb-os-discovery -p 139,445 <target_IP>
You’ll typically see share names like ADMIN$ or C$ plus OS details such as Windows 10.0.
-
Connect to shares: On Windows, map a share with net use:
net use Z: \\192.168.1.100\Public /user:DOMAIN\admin
Linux and macOS users can grab smbclient from the samba-client package:
smbclient //192.168.1.100/Public -U admin
-
Check who can touch what: Use PowerShell to audit share permissions:
Get-SmbShareAccess -Name "Public" -CimSession <server>
Then compare those results with Active Directory groups—you’ll often find accounts with way more access than they need.
-
Kill off old protocols: Turn off SMBv1 through:
What if the standard steps don’t work?
Fallback tools like Enum4linux, SMBMap, or a simple telnet check can usually break the deadlock.
-
Enum4linux (Linux/macOS): Run it with:
enum4linux -a <target_IP>
It automates share discovery, user listing, and OS fingerprinting using Samba’s own utilities—smbclient and rpcclient.
-
SMBMap (Python): Install it once:
pip install smbmap
Then scan with:
smbmap -H <target_IP> -u user -p password
Handy when you’re dealing with a sprawling network full of domains.
-
Manual port check: Make sure ports 139 and 445 are actually open:
telnet <target_IP> 445
If the connection drops, check the firewall rules—netsh advfirewall firewall show rule name=all should tell you what’s blocking traffic.
How can I stop SMB enumeration attacks before they start?
Disable SMBv1, encrypt SMB traffic, restrict share access, and keep an eye on port 445.
| Action |
Tool/Command |
Frequency |
| Disable SMBv1 |
Group Policy: Computer Configuration > Administrative Templates > MS Network Server > SMB 1.0 |
Quarterly audit |
| Enable SMB Encryption |
Set-SmbServerConfiguration -EncryptData $true (PowerShell) |
Annually |
| Restrict Share Access |
AD: Share Permissions > Authenticated Users (instead of Everyone) |
Ongoing |
| Monitor Port Usage |
Windows: Get-NetTCPConnection -LocalPort 445 |
Monthly |
According to a 2025 CISA advisory, networks that disabled SMBv1 saw an 87% drop in exploit attempts. Keep firmware updated and audit share permissions regularly to keep unauthorized visitors out. Home users? Consider swapping SMB for SFTP when you need to move files around—it’s a lot less chatty with the bad guys.
Which SMB ports should I scan first?
Start with TCP 445; if that’s blocked, fall back to 139.
Modern systems speak SMB on TCP 445 by default. If you hit a firewall on 445, try 139—some legacy gear still listens there. (Honestly, this is the first place I look when a scan stalls.)
What information can I expect to find during enumeration?
You’ll usually uncover share names, user permissions, OS versions, and sometimes even domain details.
Expect to see share names like ADMIN$, C$, or IPC$. Enumeration often reveals which users or groups have access—and on what level. You’ll also get OS fingerprints (Windows 10, Server 2019, etc.) and, in some cases, domain names if the target is part of an Active Directory forest.
Is SMB enumeration legal?
Only if you have explicit permission; unauthorized scans can violate laws and policies.
No shortcuts here. You need documented authorization before you start poking SMB services. Cross the line and you risk violating everything from US-CERT guidelines to local cybercrime statutes. (I’ve seen consultants get cease-and-desist letters for less.)
What’s the easiest way to automate SMB enumeration?
Use Nmap with the built-in SMB scripts for a quick, repeatable scan.
Nmap’s SMB scripts (smb-enum-shares, smb-enum-users, etc.) give you a one-line command that spits out share names, user lists, and OS details. Run it once, save the output, and you’ve got a baseline for the next audit. (Honestly, this is the fastest route to a clean report.)
How do I know if SMBv1 is still lurking on my network?
Check with PowerShell’s Get-WindowsOptionalFeature or a simple Nmap scan.
On Windows, run Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. If it shows “Enabled,” you’ve still got SMBv1 running somewhere. Alternatively, an Nmap scan with --script smb-protocols will flag any hosts still speaking SMBv1.
Can I use SMB enumeration for legitimate security testing?
Absolutely—it’s a standard step in penetration tests and security audits.
Red teams and auditors use SMB enumeration to map attack surfaces before recommending fixes. Just make sure you’ve got a signed Rules of Engagement document and a clear scope. (I’ve run into more than one test where the client forgot to tell IT we were coming.)
What’s the difference between SMBv1, v2, and v3?
SMBv1 is ancient and unsafe; v2 improved performance; v3 added encryption and security features.
SMBv1 dates back to the late ’90s—fast, but riddled with holes like EternalBlue. SMBv2 (2006) cut latency and added better caching, while SMBv3 (2012) brought AES-128-GCM encryption and multi-channel support. If you’re still running v1, upgrade yesterday.
How often should I audit SMB shares?
At least quarterly, with monthly spot checks on port 445.
Quarterly audits keep stale shares and overprivileged users from piling up. Meanwhile, a quick monthly check on port 445 flags any new SMBv1 hosts sneaking onto the network. (I like to schedule these right after patch Tuesday—fresh vulnerabilities, fresh excuses to clean house.)
What’s the safest way to share files instead of SMB?
For most home users, SFTP or SCP beats SMB for security.
SFTP encrypts the entire session, doesn’t rely on open ports like 445, and works across every OS. If you need Windows-native sharing, enable SMBv3 with encryption instead of falling back to v1. (Honestly, this is the only sane choice for anything outside a tightly controlled LAN.)
Where can I find reliable SMB enumeration tools?
Start with Nmap, Enum4linux, and SMBMap—all are free and widely trusted.
Nmap’s SMB scripts cover 80% of what you need. Enum4linux automates the rest on Linux/macOS, while SMBMap shines when you’re dealing with multiple domains and need quick credential-based scans. (I keep all three in my jump bag—each one catches something the others miss.)
Edited and fact-checked by the TechFactsHub editorial team.
