Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  1. Active Directory Attack Lab: Recon-to-Root
  2. Reconnaissance Phase

3. Null Session SMB Enumeration

Previous2. Service and Version DetectionNext4. LDAP Anonymous Bind Check

Last updated 25 days ago

Now we are trying to enumerate SMB shares using a null session — which means trying to access the SMB service without any username or password. This is useful when the server is misconfigured and allows anonymous access.

✅ Method 1: Using smbclient

smbclient -NL //192.168.10.4

Explanation:

  • -N → No password prompt (null session)

  • -L → List available SMB shares on the target

  • //IP → Target IP in UNC format

🔍 Look for:

  • IPC$ → Named pipes (usually always there)

  • NETLOGON, SYSVOL, Users → Might contain useful data in domain environments

I tried method 1 but it didn't work :

So let's head to method 2.

✅ Method 2: Using netexec (formerly crackmapexec)

netexec smb 192.168.10.4 -u '' -p '' --shares

Explanation:

  • -u '' → Empty username

  • -p '' → Empty password

  • --shares → Tells the tool to enumerate shared folders

✅ Now you successfully connected to the SMB service using a null session (no username/password).

[*] Windows 10 / Server 2019 Build 17763 x64 This confirms the target is likely a Windows Server 2019, in the megachange.nyx domain.

❌ But... Access Denied

[-] Error enumerating shares: STATUS_ACCESS_DENIED

This means anonymous access is not allowed to list SMB shares. The server requires authentication to view them.

🔐 If Access Denied?

We have to try valid credentials later:

netexec smb 192.168.10.4 -u USERNAME -p PASSWORD --shares

It doesn't matter to login now, all we need is the FQDN : megachange.nyx