During an internal engagement, a penetration tester reviews a vulnerability-scan report for the legacy Windows file server 10.10.15.20. The scanner flags SMBv1 and notes that anonymous authentication (NULL session) is enabled. Probe details include:
tcp/445 open Microsoft Windows 7/2008 R2 SMB (v1 enabled)
Using rpcclient -U "" -N 10.10.15.20, the tester successfully runs netshareenumall. The rules of engagement permit read-only validation of data exposure but prohibit privilege escalation. Which NEXT action would BEST confirm whether sensitive information is accessible because of this misconfiguration?
Attempt an internal DNS zone-transfer (AXFR) to gather additional host records.
Run Hydra to brute-force common passwords against each enumerated share.
Use smbclient -N //10.10.15.20/Finance, download a representative file, and inspect its contents.
Replay a captured NTLM hash with CrackMapExec to obtain an interactive shell on 10.10.15.20.
Connecting to one of the non-public shares with smbclient -N and downloading a sample file proves that the SMB service allows anonymous users to read private content. DNS zone transfers may reveal hostnames, but they do not test file access on the SMB share. Replaying an NTLM hash (pass-the-hash) and brute-forcing passwords both rely on credentials, contradicting the goal of confirming unauthenticated exposure and exceeding the scope by attempting privilege escalation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SMBv1, and why is it considered insecure?
Open an interactive chat with Bash
What is a NULL session in SMB and its security risk?
Open an interactive chat with Bash
What does the `smbclient -N` command do, and how is it useful in penetration testing?