> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/network-share/smb-null-session/trick-0287.md).

# SMB Null Session Access

***

You can attempt to access exposed SMB shares using a null session, which requires no authentication. This allows browsing and potentially downloading files from shares configured for access by 'Everyone'.

After identifying a share that allows null session access, you can connect to it using `smbclient` with the `-N` flag followed by the target IP and the suspected share name:

```bash
smbclient //<target>/<share> -N
```

Once connected, you can use standard `smbclient` commands like `ls`, `get`, `cd` to explore the share.

Beyond accessing a known share, you can also use `smbclient` to list available shares on the target server using a null session. This is done with the `-L` flag:

```bash
smbclient -L <target> -N
```

This command attempts to list the shares available on the target without providing any credentials (Null session).

Further enumeration can sometimes be performed via a null session using tools like `rpcclient`. This can potentially reveal information about users, groups, and other system details. To connect to the target machine’s RPC service using a null session, you can use:

```bash
rpcclient <target> -N
```

Once connected, you can issue commands to gather information. Commands like `enumdomusers`, `enumalsgroups Builtin`, `querydominfo`, or `srvinfo` might provide valuable information if the server allows such enumeration via a null session.

Another excellent tool for null session enumeration is `enum4linux`. This script can automate various enumeration tasks that might be possible over a null session connection. You can specify the null session using the `-n` flag. Common flags used with `enum4linux` for null session enumeration include `-U` (enumerate users), `-G` (enumerate groups), `-S` (enumerate shares), `-M` (enumerate machines), and `-o` (get OS information).

A typical `enum4linux` command for null session enumeration might look like this:

```bash
enum4linux -U -G -M -S -o -n 10.0.2.15
```

This command attempts to enumerate users, groups, machines, shares, and OS information using a null session connection to the target IP.
