Smb Scan Local Network

Description

Performs concurrent SMB fingerprinting across all eligible local network interfaces, extracting dialect, server GUID, hostname, domain, and OS version via raw SMB1/SMB2/SMB3 negotiation and NTLM challenge parsing, using the same interface eligibility rules as the local TCP scanner.

Synopsis

Performs concurrent SMB fingerprinting across all eligible local network interfaces, extracting dialect, server GUID, hostname, domain, and OS version via raw SMB1/SMB2/SMB3 negotiation and NTLM challenge parsing, using the same interface eligibility rules as the local TCP scanner.

Syntax

Invoke-LocalSmbScanner.ps1
    [-Port <int>]
    [-TimeoutMs <int>]
    [-Threads <int>]
    [-Randomize <bool>]

Description

Invoke-LocalSmbScanner.ps1 enumerates the host’s network interfaces, applies the same eligibility filter used by the local TCP scanner, and runs Invoke-SmbScanner against each qualifying subnet in turn. No target list is required; the script derives all scan targets from the local routing table at runtime.

An interface is eligible for scanning if it meets all three of the following conditions. Its status must be Up. It must have more than two ARP table entries, which filters out loopback interfaces, point-to-point links, and interfaces with no observed neighbours. Its subnet prefix length must be /23 or longer (i.e. the CIDR value must be 23 or greater), which prevents accidental scanning of large routed aggregates and keeps the host count within a manageable bound. Interfaces with multiple assigned IP addresses are handled correctly; each address is parsed independently and each unique derived subnet is scanned once.

For each qualifying subnet, Invoke-SmbScanner is invoked directly with the CIDR string as the target. Results are annotated with a Network property containing the CIDR string of the subnet that produced the result, and an IP property aliasing the Target field for output consistency with the local TCP scanner. The Target property is excluded from the final output so that the column layout matches what consumers of the TCP scanner already expect.

Results are only emitted for hosts where TCP connectivity was established and at least one piece of usable fingerprint data was returned. Hosts that are reachable over TCP but return no dialect, server GUID, hostname, domain, or OS version are suppressed by the underlying cmdlet before reaching the pipeline.

Parameters

Parameter Type Required Default Description
-Port int No 445 TCP port to connect to on each target host. Override when SMB is hosted on a non-standard port. Must be between 1 and 65535.
-TimeoutMs int No 2500 Per-host connection and read timeout in milliseconds. Lower values increase scan speed at the cost of missing slower or more distant hosts.
-Threads int No 50 Number of concurrent scanning threads passed to Invoke-SmbScanner per subnet. Higher values increase throughput on larger subnets but consume more system resources.
-Randomize bool No $true When $true, randomizes the order in which hosts within each subnet are scanned. Reduces sequential sweep signatures in network telemetry.

Output

Each result object carries the properties of recon.Classes.SmbScanResult plus two additional annotated properties added by the script.

Property Type Description
IP string The IP address of the scanned host. Aliased from the underlying Target field for output consistency with the local TCP scanner.
Network string The CIDR subnet string of the interface network that produced this result (e.g. 10.0.1.0/24).
Port int The port that was scanned.
Connected bool Whether TCP connectivity was established. Always true for emitted results.
Dialect string The negotiated SMB dialect (e.g. SMB 2.1, SMB 3.0.2).
ServerGuid string The server GUID returned in the SMB2 NEGOTIATE response, formatted as a standard UUID.
Hostname string The DNS or NetBIOS computer name extracted from the NTLM CHALLENGE AV pairs.
Domain string The DNS or NetBIOS domain name extracted from the NTLM CHALLENGE AV pairs.
OsVersion string A human-readable OS version string derived from the NTLM version field (e.g. Windows 10/Server build 19041).
SessionSetupStatus uint The raw NTSTATUS code returned by the session setup exchange. A value of 0xC0000016 (STATUS_MORE_PROCESSING_REQUIRED) is expected and indicates a successful fingerprint probe.
Error string Error detail if the scan failed or produced no usable data. $null on successful results.

Note: The Target property from SmbScanResult is excluded from output by the final Select-Object projection. Use IP instead.

Examples

Example 1 — Run with all defaults

.\Invoke-LocalSmbScanner.ps1

IP           Network        Port Connected Dialect   ServerGuid                           Hostname          Domain      OsVersion
--           -------        ---- --------- -------   ----------                           --------          ------      ---------
10.0.1.4     10.0.1.0/24    445  True      SMB 3.0.2 4a3f1c2d-8b7e-4f90-a123-0d5e6c7f8a9b DC01.corp.local  corp.local  Windows 10/Server build 17763
10.0.1.12    10.0.1.0/24    445  True      SMB 2.1   7c2d9a1e-3f5b-4e82-b047-1a2c3d4e5f60 FILE01.corp.local corp.local  Windows 7/Server 2008 R2 build 7601
10.0.1.31    10.0.1.0/24    445  True      SMB 1.0                                        LEGACY-SRV        WORKGROUP   Windows XP build 2600
192.168.5.2  192.168.5.0/24 445  True      SMB 3.1.1 1b4f8c3a-0e2d-4791-a556-9f0a1b2c3d4e FS02.corp.local  corp.local  Windows 10/Server build 20348

Example 2 — Aggressive timing for a fast internal network

.\Invoke-LocalSmbScanner.ps1 -TimeoutMs 750 -Threads 200

IP           Network        Port Connected Dialect   ServerGuid                           Hostname          Domain      OsVersion
--           -------        ---- --------- -------   ----------                           --------          ------      ---------
10.0.0.5     10.0.0.0/23    445  True      SMB 3.0.2 9e1f2a3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b EXCH01.corp.local corp.local  Windows 10/Server build 17763
10.0.0.18    10.0.0.0/23    445  True      SMB 3.1.1 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e WEB01.corp.local  corp.local  Windows 10/Server build 20348
10.0.1.44    10.0.0.0/23    445  True      SMB 2.1   3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f PRINT01           WORKGROUP   Windows 7/Server 2008 R2 build 7601

Example 3 — Filter to legacy SMB dialects and export

.\Invoke-LocalSmbScanner.ps1 -Threads 150 |
    Where-Object { $_.Dialect -match 'SMB 1|SMB 2\.0' } |
    Select-Object IP, Network, Dialect, OsVersion |
    Export-Csv -Path .\legacy_smb.csv -NoTypeInformation

Example 4 — Surface hosts missing domain membership

.\Invoke-LocalSmbScanner.ps1 |
    Where-Object { $_.Domain -eq 'WORKGROUP' -or [string]::IsNullOrEmpty($_.Domain) } |
    Select-Object IP, Network, Hostname, Domain, OsVersion |
    Format-Table -AutoSize

IP          Network        Hostname   Domain    OsVersion
--          -------        --------   ------    ---------
10.0.1.31   10.0.1.0/24    LEGACY-SRV WORKGROUP Windows XP build 2600
10.0.1.77   10.0.1.0/24               WORKGROUP Windows 10/Server build 19041
10.0.1.103  10.0.1.0/24    KIOSK-01             Windows 10/Server build 19041

Notes

  • Subnets with a prefix length shorter than /23 are skipped regardless of interface status or ARP table size. This is a hard lower bound inherited from the TCP scanner’s eligibility logic and is not configurable at the script level. If you need to scan a larger range, use Invoke-SmbScanner directly with an explicit -Target argument.
  • Each unique subnet is scanned at most once per script invocation. If two interfaces on the same host share an overlapping or identical subnet, the duplicate is silently dropped before scanning begins.
  • The OsVersion field is derived from the NTLM VERSION structure, which is advisory and not verified. Windows 10 and all Windows Server 2016 and later releases both report major version 10.0; the build number is required to distinguish them, and even that may be suppressed or spoofed by some SMB implementations.
  • SessionSetupStatus value 3221225494 (0xC0000016) is STATUS_MORE_PROCESSING_REQUIRED, the expected NTSTATUS mid-handshake for NTLM exchange. It denotes a successful fingerprint probe, not a failure.
  • ARP table population depends on prior network activity. On a freshly imaged host or a host that has been recently rebooted, the ARP count filter may exclude interfaces that are genuinely active but have not yet accumulated entries. In those cases, use Invoke-SmbScanner directly with an explicit target range.
  • Invoke-SmbScanner — Underlying cmdlet; use directly when explicit target control is required
  • Invoke-LocalSmbScanner.ps1 — This script
  • Invoke-SmbScanner.ps1 — Target-driven SMB scanner wrapper
Scroll to Top