| Flag | What Does it Do? | Why Does that Matter? | When to Use it? | Purpose |
|---|---|---|---|---|
Checks the host for SMBv1 signing | If SMB signing is not enabled & required it suggests the host is vulnerable to pass-the-hash attacks | When you see p137, 445 or if there is NBNS/LLMNR traffic on the network | Vulnerability Analysis | |
Checks the host for SMBv2 signing | If SMB signing is not enabled & required it suggests the host is vulnerable to pass-the-hash attacks | When you see p137, 445 or if there is NBNS/LLMNR traffic on the network | Vulnerability Analysis | |
Fingerprints specifics about SMB versions | Older versions of SMB are riddled with RCE vulnerabilities (i.e, Eternal Blue) | When analyzing Windows server infrastructure | Vulnerability Analysis | |
Basic vulnerability scanning against the vulners.com database | You can obfuscate this much more than something like OpenVas | When you have a large amount of data to analyze and need to automate the research process | Vulnerability AnalysisQuality of Life | |
Enumerates the specific version and build of on prem MS exchange servers | Older exchange servers have several significant exploits available | Anytime you see on prem exchange | Vulnerability Analysis | |
Enumerates network file shares on a host | It may be possible to mount those shares and parse through potentially sensitive data | When you see p2049 | Vulnerability Analysis | |
Identified instances of Jenkins on the network | Older version of Jenkins have tons of vulnerabilities | As part of initial attack surface analysis | Host DiscoveryVulnerability Analysis |