The following are checks for old smb exploits, which I've seen a lot of times when doing old HTB boxes. Hence, have documented these for whenever I come across old smb version.
$ nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery IP
# test for known smb vulns
# cve2009-3103: ms09-050
nmap --script=smb-vuln-cve2009-3103.nse -p 139,445 IP
nmap --script=smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse -p 139,445 IP
# exploit down
nmap -Pn --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p139,445 IP
# using NMAP lto enumerate shares:
nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse IP
smbclient | smbmap
smbmap -H IP [-P PORT] [-d DOMAIN] [-u USER] [-p PASS] [-s TARGET_SHARE]
smbclient //IP/TARGET_SHARE/PATH -U USER%PASS -p PORT
# -L LIST_SHARES
# -c COMMAND_TO_EXECUTE;
# -N NO_PASSWORD
# copy entire share to local-disk
smbclient '\\IP\TARGET_SHARE' -N -c 'prompt OFF;recurse ON;mget *'
smbget -R smb://IP/TARGET_SHARE --guest
# to read file within smb
more FILENAME
# to copy outside of share
get SHARE_FILE FILENAME
enum4linux
enum4linux -a IP
# -U: get user-list
# -M: get machine-list
# -N: get name-list dump
# -S: get share-list
# -P: get password-policy info
# -G: get group & member list
# -a: get all.
enum4linux-ng.py -A IP [-U USER] [-p PASS]
# -C: enum services
# -R: enum users via RID cycling
# -S: enum shares
Shares (nfs, cifs)
Viewing
showmount -e IP
# -a: List both the client IP and mounted directory in host:dir format.
# -d: List only the directories mounted by some client.