Demonstrate safe, methodical network reconnaissance and SMB enumeration used in vulnerability assessment and cyber research. This repo documents step-by-step commands, raw outputs, and interpretations to showcase skills relevant to roles such as Cybersecurity Researcher at Idaho National Laboratory (INL).
Ethics & scope: All scans were performed on lab-controlled infrastructure with explicit permission. Never scan systems you do not own or have written permission to test.
-
scans/— raw outputs (nmap, enum4linux, smbclient, rpcclient, nmblookup) -
analysis/— human-readable interpretation of outputs and next steps -
scripts/— optional small scripts used to run scans -
README.md— this document
-
nmap(SYN scans, version detection, NSE scripts) -
enum4linux,smbclient,rpcclient -
nmblookup/nbstat(NetBIOS name lookups)
-
Ensure Python 3.11+ is available.
-
Use the included demo XML: python src/smb_report.py data/scans/smb_recon_example.xml > analysis/SMB_Recon_Report.csv
-
If your script supports flags, you can also do: python src/smb_report.py -i data/scans/smb_recon_example.xml -o analysis/SMB_Recon_Report.csv
-
Review outputs:
analysis/SMB_Recon_Report.csv— consolidated host/OS/SMB signing/sharesanalysis/findings.md— analyst interpretation & recommendations
data/scans/smb_recon_example.xml— simulated Nmap XML output for two hosts (demo only).src/smb_report.py— parses Nmap hostscript fields (smb-os-discovery,smb2-security-mode,smb-enum-shares) into a summary CSV.docs/SMB_Recon_Report.csv— generated report (host, OS, SMB signing status, shares).
⚠️ Ethical use: run real scans only on systems you own or have explicit permission to test.
-
Confirm host up:
ping -c 4 <TARGET_IP> -
Fast TCP discovery (top 100 ports):
sudo nmap -sS -Pn --top-ports 100 -T4 -
Focused SMB/RPC enumeration (versions, dialects, capabilities, signing):
nmap -p 135,139,445 -sV --script=... -
Anonymous/Null session attempts:
smbclient -L //IP -N,rpcclient -U "" IP,enum4linux -a IP -
UDP NetBIOS checks:
nmblookup -A IP,nmap -sU -p 137 --script=nbstat -
(Optional, authenticated) enumerate shares and users with test credentials.
-
Place raw scan outputs into
scans/(replace placeholder files). -
Edit
analysis/findings.mdto add your interpretation and remediation recommendations. -
Commit and push to a private repo while you decide which outputs (if any) are safe to make public.
- If you have test credentials for the VM, run authenticated enumeration:
- smbclient -L //<TARGET_IP> -U username
- rpcclient -U '%' <TARGET_IP>
- Author: Lauren Roberts
- Notes: This project demonstrates methodical reconnaissance and interpretation skills suitable for vulnerability assessment