SMB null and Guest access checks determine whether the domain exposes data without real credentials.
This is one of the first checks because it can produce shares, usernames, domain policy, or readable files before authentication.
To clarify a common misunderstanding: Null and Guest are not the same thing and should both be tested individually.
Null Session Checks
smbclient -L //10.10.10.200 -N
nxc smb 10.10.10.200 -u '' -p '' --shares
smbmap -H 10.10.10.200 -u '' -p ''
enum4linux-ng -A 10.10.10.200
Success looks like:
share listing
domain name
user list
password policy
Failure looks like:
NT_STATUS_ACCESS_DENIED
STATUS_LOGON_FAILURE
Failure is normal on a hardened domain.
Guest Checks
smbclient -L //10.10.10.200 -U 'guest%'
nxc smb 10.10.10.200 -u 'guest' -p '' --shares
smbmap -H 10.10.10.200 -u 'guest' -p ''
enum4linux-ng -u guest -p '' -A 10.10.10.200
Try common casing:
nxc smb 10.10.10.200 -u Guest -p ''
nxc smb 10.10.10.200 -u guest -p ''
Share Enumeration
If a share is readable:
smbmap -H 10.10.10.200 -u 'guest' -p '' -R --dir-only
smbclient //10.10.10.200/Public -U 'guest%' -c 'recurse; ls'
Pull only files that matter:
smbclient //10.10.10.200/Public -U 'guest%' -c 'get readme.txt'
Look for:
passwords
scripts
configuration files
VPN notes
database connection strings
deployment files
certificates
Common Follow-Up
If Guest access works, immediately check:
nxc smb 10.10.10.200 -u 'guest' -p '' --users
nxc smb 10.10.10.200 -u 'guest' -p '' --rid-brute
nxc smb 10.10.10.200 -u 'guest' -p '' --pass-pol
If users are found, move to username enumeration, ASREP roasting, and password policy checks.
Detection
Defenders look for:
- Security 4624 with anonymous or Guest logons
- Security 4625 for failed null/Guest attempts
- Security 5140 for share access
- Security 5145 for file share object access
- SMB connections from unmanaged hosts
Remediation
- disable Guest access
- restrict anonymous enumeration
- remove Everyone or Guest permissions from shares
- require authentication for all SMB access
- audit shares for readable sensitive files
- enforce SMB signing where possible