SMB & RPC Enumeration

This cheatsheet covers the enumeration of Server Message Block (SMB) and Remote Procedure Call (RPC) services. In both standalone Linux (Samba) and Windows Active Directory environments, these protocols frequently leak domain information, user lists, password policies, and accessible file shares via Null Sessions (anonymous logins).

High-Level Automated Enumeration

Before manually digging into specific shares, run automated tools to extract as much metadata as possible (OS version, password policies, SIDs, and user groups).

enum4linux

The "-a" flag runs a complete suite of tests: SID cycling, # password policy extraction, OS info, and share enumeration.

enum4linux -a 10.10.10.10

retrieves a list of usernames.

enum4linux -U 10.10.10.10

retrieves the local machine groups.

enum4linux -G 10.10.10.10

pulls usernames from the default RID range (500-550,1000-1050)

enum4linux -r target-ip

pull usernames using a custom RID range

enum4linux -R 600-660 target-ip

Nmap (SMB Scripts)

run all safe SMB enumeration scripts (OS discovery, shares, vulnerabilities)

nmap -p 139,445 --script smb-os-discovery,smb-enum-shares,smb-vuln* 10.10.10.10

NetExec / CrackMapExec

quickly check for Null Session access and list shares across a subnet

nxc smb 10.10.10.10 -u '' -p '' --shares

Important

Always test for a Null Session first. This means attempting to authenticate with a blank username (-U "") and a blank password (-N or -p ""). If the server is misconfigured to allow this, you can dump the entire domain user list without needing valid credentials.

Once you know the server exists, map out which file shares are readable or writable.

smbclient

list (-L) all available shares using a Null Session (-N)

smbclient -L //10.10.10.10 -N

connect to a specific share (e.g., "Development") anonymously

smbclient //10.10.10.10/Development -N

connect with a known username and prompt for password

smbclient //10.10.10.10/Development -U "username"

smbmap

map shares and display permissions (Read Only, Read/Write) for a Null Session

smbmap -H 10.10.10.10

map shares with specific credentials and recursively list files (-R)

smbmap -H 10.10.10.10 -u "username" -p "password" -R

Rabbit Hole

You will almost always see the IPC$ (Inter-Process Communication) share. You can usually connect to it, but you will not find any files there. It is strictly used to facilitate RPC connections (which we enumerate below). Do not waste time trying to get or put files in IPC$.

RPC Enumeration (rpcclient)

Remote Procedure Calls (RPC) often bind to port 135, but can also be accessed via SMB on port 445 through the IPC$ share. If a Null Session is allowed, rpcclient acts as a direct console to query the server's internal SAM database.

Connecting to the RPC Service:

connect using a Null Session (No username, No password)

rpcclient -U "" -N 10.65.174.118

Once connected to the rpcclient$ > prompt, use the following internal queries:

Command	Description
`srvinfo`	Displays server OS, version, and domain information.
`netshareenum`	Lists all available SMB shares.
`netshareenumall`	Lists all shares, including hidden/administrative ones (like C$).
`enumdomains`	Enumerates domains deployed in the network.
`enumdomusers`	Critical: Dumps the list of all users on the system/domain.
`enumdomgroups`	Lists all groups (e.g., Domain Admins, Remote Desktop Users).
`dsr_getdcname`	Retrieves the name and details of the Domain Controller.
`queryuser <RID>`	Pulls detailed info for a specific user via their Relative ID (e.g., `queryuser 500` for Administrator).

Efficiency

If enumdomusers works, immediately copy the output, clean up the usernames, and save them to a users.txt file. You will need this wordlist later for AS-REP Roasting, password spraying, or Kerberos brute-forcing.

SMB & RPC Enumeration

High-Level Automated Enumeration

Share Enumeration & Access

RPC Enumeration (rpcclient)