3. Null Session SMB Enumeration

Now we are trying to enumerate SMB shares using a null session β€” which means trying to access the SMB service without any username or password. This is useful when the server is misconfigured and allows anonymous access.

βœ… Method 1: Using smbclient

smbclient -NL //192.168.10.4

Explanation:

  • -N β†’ No password prompt (null session)

  • -L β†’ List available SMB shares on the target

  • //IP β†’ Target IP in UNC format

πŸ” Look for:

  • IPC$ β†’ Named pipes (usually always there)

  • NETLOGON, SYSVOL, Users β†’ Might contain useful data in domain environments

I tried method 1 but it didn't work :

So let's head to method 2.

βœ… Method 2: Using netexec (formerly crackmapexec)

netexec smb 192.168.10.4 -u '' -p '' --shares

Explanation:

  • -u '' β†’ Empty username

  • -p '' β†’ Empty password

  • --shares β†’ Tells the tool to enumerate shared folders

βœ… Now you successfully connected to the SMB service using a null session (no username/password).

[*] Windows 10 / Server 2019 Build 17763 x64 This confirms the target is likely a Windows Server 2019, in the megachange.nyx domain.

❌ But... Access Denied

[-] Error enumerating shares: STATUS_ACCESS_DENIED

This means anonymous access is not allowed to list SMB shares. The server requires authentication to view them.

πŸ” If Access Denied?

We have to try valid credentials later:

netexec smb 192.168.10.4 -u USERNAME -p PASSWORD --shares

It doesn't matter to login now, all we need is the FQDN : megachange.nyx

Previous2. Service and Version DetectionNext4. LDAP Anonymous Bind Check

Last updated