Nmap NSE net: smb-brute

Summary
Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. SYNTAX: userdb: The filename of an alternate username database. brutelimit: Limits the number of usernames checked in the script. In some domains, it's possible to end up with 10,000+ usernames on each server. By default, this will be '5000', which should be higher than most servers and also prevent infinite loops or other weird things. This will only affect the user list pulled from the server, not the username list. randomseed: Set to a value to change the filenames/service names that are randomly generated. unpwdb.timelimit: The maximum amount of time that any iterator will run before stopping. The value is in seconds by default and you can follow it with 'ms', 's', 'm', or 'h' for milliseconds, seconds, minutes, or hours. For example, 'unpwdb.timelimit=30m' or 'unpwdb.timelimit=.5h' for 30 minutes. The default depends on the timing template level (see the module description). Use the value '0' to disable the time limit. unpwdb.userlimit: The maximum number of usernames 'usernames' will return (default unlimited). smblockout: Unless this is set to '1' or 'true', the script won't continue if it locks out an account or thinks it will lock out an account. smbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed to be the same protocol as port 445, not port 139. passdb: The filename of an alternate password database. smbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. Against most modern systems, extended security should work, but there may be cases where you want to force basic. There's a chance that you'll get better results for enumerating users if you turn on basic authentication. smbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows, server signatures aren't enabled or required. By default, this library will always sign packets if it knows how, and will check signatures if the server says to. Possible values are: - 'force': Always check server signatures, even if server says it doesn't support them (will probably fail, but is technically more secure). - 'negotiate': [default] Use signatures if server supports them. - 'ignore': Never check server signatures. Not recommended. - 'disable': Don't send signatures, at all, and don't check the server's. not recommended. More information on signatures can be found in 'smbauth.lua'. canaries: Sets the number of tests to do to attempt to lock out the first account. This will lock out the first account without locking out the rest of the accounts. The default is 3, which will only trigger strict lockouts, but will also bump the canary account up far enough to detect a lockout well before other accounts are hit. unpwdb.passlimit: The maximum number of passwords 'passwords' will return (default unlimited).