impacket-smbclient

View documentation for the original command

$ tldr smbclient.py

impacket-smbclient [-debug] [-logfile FILE] [-smb2] [-esac] [-debug-connection] [-retries RETRIES] [-timeout TIMEOUT] [-target-ip IP] [-target-hostname HOSTNAME] [-name NAME] [-k {tgs,hash,asrep}] [-no-pass] [-kdcHost KDC] [-request] [-dc-ip IP] [-aesKey AESKEY] [-keytab KEYTAB] [[domain/]username[:password]@]targetName

-h, --help
    Show help message and exit

-debug
    Enable DEBUG output

-logfile FILE
    Set base logfile name (default: smbclient.log)

-smb2
    Force SMB2+ usage, disable SMB1

-esac
    Enable ESAC challenge/response (experimental)

-debug-connection
    Print all SMB connection exchanges

-retries RETRIES
    Number of retries for unanswered packets

-timeout TIMEOUT
    SMB request timeout in seconds

-target-ip IP
    Specify target IP address

-target-hostname HOSTNAME
    Specify target hostname

-name NAME
    Set local hostname

-k {tgs,hash,asrep}
    Kerberos ticket/action (default: tgs)

-no-pass
    Skip password prompt (use with -k)

-kdcHost KDC
    Kerberos KDC host (default: target)

-request
    Request Kerberos TGT instead of TGS

-dc-ip IP
    Domain Controller IP address

-aesKey AESKEY
    AES256 key in hex for Kerberos

-keytab KEYTAB
    Keytab file for credentials

impacket-smbclient is a powerful command-line tool from the Impacket Python library, designed for interacting with SMB/CIFS shares on remote Windows systems. It provides an interactive shell similar to Samba's smbclient, enabling users to list directories, upload/download files, delete, and perform other file operations.

Key strengths include support for advanced authentication methods like NTLM hashes, Kerberos tickets, AES keys, and pass-the-hash attacks, making it invaluable in penetration testing, red teaming, and network forensics. Unlike traditional smbclient, it leverages Impacket's pure Python implementation for cross-platform compatibility and evasion techniques.

Users specify credentials in the format domain/username:password@host/share or use flags for hashes/tickets. Once connected, commands like ls, get, put, rm mimic shell operations. Debug modes offer visibility into SMB negotiations, aiding troubleshooting protocol issues.

Requires Impacket library installed via pip; needs network connectivity and valid credentials/privileges; Kerberos options demand proper realm setup; SMB1 often blocked by modern firewalls.

Use ls, lls (local), get file, put file, rm file, mkdir dir, quit to exit.
Example: impacket-smbclient user:pass@192.168.1.1/C$ then ls

Pass-the-hash: impacket-smbclient -hashes lmhash:nthash user@host/share (Impacket v0.10+ supports inline hashes)

Developed as part of Impacket suite by SecureAuth (now Fortra) since early 2000s; evolved for pentesting with SMB3 support and advanced auth in recent releases (v0.9+). Widely used in tools like CrackMapExec.

smbclient(1), smbmap(1), psexec(1)