Enumerating SMB sessions
SMB sessions reflect people connected to file shares or making RPC calls and they can provide invaluable information that can be used to profile users and machines. The SMB session information includes usernames, origin IP addresses, and even idle time. Because this information can be used to launch other attacks, listing SMB sessions remotely can be very handy as a penetration tester.
This recipe shows how to enumerate SMB sessions of Windows machines with Nmap.
How to do it...
Open your terminal and enter the following Nmap command:
$ nmap -p445 --script smb-enum-sessions <target>
Local users on the system will be listed, as well as the SMB connections detected:
Host script results: | smb-enum-sessions: | Users logged in: | | MATRIX\Administrator since 2017-01-12 12:03:20 | Active SMB Sessions: |_ |_ ADMINISTRATOR is connected from xxx.xxx.xxx.xxx for [just logged in, it's probably you], idle for [not idle]
How it works...
Logged...