Smb Scan Target System

Description

Performs concurrent SMB fingerprinting across one or more IP addresses, CIDR ranges, or hostnames, extracting dialect, server GUID, hostname, domain, and OS version via raw SMB1/SMB2/SMB3 negotiation and NTLM challenge parsing.

Synopsis

Performs concurrent SMB fingerprinting across one or more IP addresses, CIDR ranges, or hostnames, extracting dialect, server GUID, hostname, domain, and OS version via raw SMB1/SMB2/SMB3 negotiation and NTLM challenge parsing.

Syntax

Invoke-SmbScanner
    -Target <string[]>
    [-Port <int>]
    [-TimeoutMs <int>]
    [-Threads <int>]
    [-Randomize]

Description

Invoke-SmbScanner probes one or more network targets over TCP port 445 (or a specified port) and performs a raw SMB protocol handshake to extract fingerprint data without authenticating. For each reachable host, the cmdlet sends an SMB multi-protocol negotiate request and, if the host responds, continues with an SMB2 or SMB1 session setup exchange to elicit an NTLM CHALLENGE message. The NTLM CHALLENGE is parsed for target info AV pairs (DNS and NetBIOS computer name, DNS and NetBIOS domain name) and the NTLM version field, which exposes the Windows major/minor version and build number.

Results are emitted to the pipeline only when both TCP connectivity and at least one piece of usable fingerprint data (dialect, server GUID, hostname, domain, or OS version) are obtained. Hosts that are reachable over TCP but return no meaningful SMB fingerprint data are suppressed.

Scanning is performed concurrently using a configurable thread pool. Targets may be provided as individual IP addresses, CIDR notation ranges, or hostnames, and may be passed by value or piped from upstream cmdlets.

Parameters

Parameter Type Required Default Description
-Target string[] Yes One or more IP addresses (e.g. 192.168.1.1), CIDR ranges (e.g. 10.0.0.0/24), or hostnames (e.g. dc01.corp.local) to scan. Accepts pipeline input.
-Port int No 445 TCP port to connect to. Must be between 1 and 65535. Override when SMB is hosted on a non-standard port.
-TimeoutMs int No 2500 Per-host connection and read timeout in milliseconds. Lower values increase scan speed at the cost of missing slower hosts.
-Threads int No 50 Number of concurrent scanning threads. Must be between 1 and 1000. Higher values increase throughput on large ranges but consume more system resources.
-Randomize switch No $false When set, randomizes the order in which targets are scanned. Useful for reducing detection noise across sequential IP ranges.

Output

Each result object is of type recon.Classes.SmbScanResult and contains the following properties:

Property Type Description
Target string The original target string as provided (IP, CIDR host, or hostname).
Port int The port that was scanned.
Connected bool Whether a TCP connection was established. Always true for emitted results.
Dialect string The negotiated SMB dialect (e.g. SMB 2.1, SMB 3.0.2).
ServerGuid string The server GUID returned in the SMB2 NEGOTIATE response, formatted as a standard UUID.
Hostname string The DNS or NetBIOS computer name extracted from the NTLM CHALLENGE AV pairs.
Domain string The DNS or NetBIOS domain name extracted from the NTLM CHALLENGE AV pairs.
OsVersion string A human-readable OS version string derived from the NTLM version field (e.g. Windows 10/Server build 19041).
SessionSetupStatus uint The raw NTSTATUS code returned by the session setup exchange (e.g. 0xC0000016 for STATUS_MORE_PROCESSING_REQUIRED).
Error string Error detail if the scan failed or produced no usable data. $null on success.

Note: Results are only emitted when Connected is true and at least one of Dialect, ServerGuid, Hostname, Domain, or OsVersion is non-empty. Plain TCP connections that do not yield SMB fingerprint data are silently dropped.

Examples

Example 1 — Scan a single host

load recon;

Invoke-SmbScanner -Target '192.168.1.10'

Target             : 192.168.1.10
Port               : 445
Connected          : True
Dialect            : SMB 3.0.2
ServerGuid         : 4a3f1c2d-8b7e-4f90-a123-0d5e6c7f8a9b
Hostname           : DC01.corp.local
Domain             : corp.local
OsVersion          : Windows 10/Server build 17763
SessionSetupStatus : 3221225494
Error              :

Example 2 — Scan a CIDR range with increased threads and a faster timeout

load recon;

Invoke-SmbScanner -Target '10.10.0.0/22' -TimeoutMs 1000 -Threads 200

Target             : 10.10.0.4
Port               : 445
Connected          : True
Dialect            : SMB 2.1
ServerGuid         : 7c2d9a1e-3f5b-4e82-b047-1a2c3d4e5f60
Hostname           : FILE01.corp.local
Domain             : corp.local
OsVersion          : Windows 7/Server 2008 R2 build 7601
SessionSetupStatus : 3221225494
Error              :

Target             : 10.10.0.9
Port               : 445
Connected          : True
Dialect            : SMB 1.0
ServerGuid         :
Hostname           : LEGACY-SRV
Domain             : WORKGROUP
OsVersion          : Windows XP build 2600
SessionSetupStatus : 3221225494
Error              :

Example 3 — Scan a named host on a non-standard port

load recon;

Invoke-SmbScanner -Target 'fileserver.corp.local' -Port 4445

Target             : fileserver.corp.local
Port               : 4445
Connected          : True
Dialect            : SMB 3.1.1
ServerGuid         : 1b4f8c3a-0e2d-4791-a556-9f0a1b2c3d4e
Hostname           : FILESERVER.corp.local
Domain             : corp.local
OsVersion          : Windows 10/Server build 20348
SessionSetupStatus : 3221225494
Error              :

Example 4 — Pipe multiple targets from an upstream cmdlet and export to CSV

load recon;

@('10.0.0.0/24', '172.16.5.0/24', 'jumphost.corp.local') |
    Invoke-SmbScanner -TimeoutMs 1500 -Threads 150 -Randomize |
    Export-Csv -Path .\smb_results.csv -NoTypeInformation

Example 5 — Filter results to legacy dialects only

load recon;

Invoke-SmbScanner -Target '192.168.0.0/16' -Threads 300 |
    Where-Object { $_.Dialect -match 'SMB 1|SMB 2\.0' } |
    Select-Object Target, Dialect, OsVersion |
    Format-Table -AutoSize

Target        Dialect  OsVersion
------        -------  ---------
192.168.1.42  SMB 1.0  Windows XP build 2600
192.168.2.11  SMB 2.0.2  Windows 7/Server 2008 R2 build 7601
192.168.4.88  SMB 1.0  Windows 2000 build 2195

Notes

  • Results are suppressed for hosts where TCP connects but no usable SMB fingerprint data is returned. This filters out hosts running non-SMB services on port 445 and SMB implementations that respond to TCP but reject the negotiate exchange before returning NTLM target info.
  • The OsVersion field is derived from the NTLM VERSION structure, which is an advisory field and may not reflect the actual OS version. Hosts may spoof or omit it. Windows 10 and Windows Server 2016+ both report major version 10.0 with differing build numbers; build number alone is required to distinguish them.
  • SessionSetupStatus value 3221225494 (0xC0000016) is STATUS_MORE_PROCESSING_REQUIRED, which is the expected NTSTATUS for a mid-handshake NTLM exchange and indicates a normal, successful fingerprint probe — not an error.
  • CIDR expansion is handled by IpNetworkScannerBase. The full host range is enumerated before scanning begins; network and broadcast addresses are excluded.
  • The -Randomize switch randomizes target order after CIDR expansion. It does not introduce per-host jitter or rate limiting.
Scroll to Top