The text from this page can be cleanly downloaded to your terminal directly using the following command: curl -s | sed 's/<[^>]*>//g ; /^$/d'| tr -s '\n' '\n' | sed -r /^r?$/d Linux PrivEsc Web Enumeration Search SMB nmap scripts: ls -la /usr/share/nmap/scripts | grep smb* Check for vulns: nmnap --script smb-vuln* -p 139,445 SMB Enumeration: nmblookup -A ip nbtstat -A ip echo exit | smbclient -L \\\\ip smbmap -u username -p password -H ip nmap --script smb-enum-* -p 139,445 ip enum4linux -r ip Is anonymous access enabled? smbclient -L ip What about Null Sessions on the SMB shares? smbmap -H ip -R rpclient -U "" -N ip smbclient -L \\\\ip\\share enum4linux -r ip Enumerate Possible users? nmap -script smb-enum-users.nse -p445 ip smbclient -L ip -U% Can I connect to an SMB share with an account: smbclient \\\\server\\share -U 'username%password' From windows: net use \\ip\ipc$ "" /u:"" Connect to the RPC rpclient -U "" -N ip rpclient -U "username" [ip] #prompts for password SAMBA rcpclient can be used to interact with RPC endpoints to enumerate users querydispinfo and enumdomusers queryuser [0xrid] queryusergroups [0xrid] lookupnames [username] Brute Force SMB: msf5 > use auxiliary/scanner/smb/smb_login msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist pass_file => wordlist msf5 auxiliary(scanner/smb/smb_login) > set USER_file userlist USER_file => userlist msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS [host] run nmap --script smb-brute -p 445 [ip] hydra -l [username] -P /password/path [ip] smb -t 1