Null and Guest access checks tell us whether SMB or RPC leaks information before we have real credentials. Modern domains should usually block this, but labs, appliances, NAS devices, legacy servers, and misconfigured shares still expose useful data.
Null session with smbclient
smbclient -N -L //10.10.10.200
smbclient -N //10.10.10.200/IPC$ -c "help"
Guest access with smbclient
smbclient -U '%' -L //10.10.10.200
smbclient -U 'guest%' -L //10.10.10.200
smbclient -U 'guest%' //10.10.10.200/Public -c "ls"
smbmap
smbmap -H 10.10.10.200 -u '' -p ''
smbmap -H 10.10.10.200 -u guest -p ''
smbmap -H 10.10.10.200 -u guest -p '' -r
NetExec
nxc smb 10.10.10.200 -u '' -p ''
nxc smb 10.10.10.200 -u '' -p '' --shares
nxc smb 10.10.10.200 -u guest -p '' --shares
enum4linux-ng
enum4linux-ng -A 10.10.10.200
enum4linux-ng -A -u '' -p '' 10.10.10.200
enum4linux-ng -A -u guest -p '' 10.10.10.200
RPC null session
rpcclient -U "" 10.10.10.200 -c "srvinfo"
rpcclient -U "" 10.10.10.200 -c "lsaquery"
rpcclient -U "" 10.10.10.200 -c "enumdomusers"
rpcclient -U "" 10.10.10.200 -c "netshareenumall"
Notes
- Null access means no username and no password.
- Guest access means the server accepted the Guest identity.
- They are different conditions, and both should be tested.