smbclient.py
Access SMB network file shares
TLDR
Connect to an SMB server with username and password
Connect using NTLM hashes for authentication
Connect using Kerberos authentication
Connect specifying a domain controller IP
Connect to a specific target IP instead of NetBIOS name
Connect to a non-standard SMB port
Execute commands from an input file in the SMB shell
Log SMB client commands to an output file
SYNOPSIS
The `smbclient.py` script is typically invoked with the target's credentials and address, followed by optional parameters and commands.
Common Usage (if script is in PATH or directly executed):
`smbclient.py [[domain/]username[:password]@]target [-options] [command]`
Example with target and options:
`smbclient.py administrator:password@192.168.1.100 -shares`
`smbclient.py administrator@server.domain.com -hashes :NTHASH -c 'dir \\SHARE\path'`
PARAMETERS
--help, -h
Displays a help message and exits.
-target-ip IP
Specifies the IP address of the target machine. Useful when hostname resolution fails or is not desired.
-port PORT
Specifies the SMB port to connect to (default is 445).
-shares
Lists the available shares on the target system.
-dc-ip IP
IP address of the Domain Controller to be used for authentication (primarily with Kerberos).
-hashes LMHASH:NTHASH
Uses LM and NT hashes for NTLM authentication (pass-the-hash).
-no-pass
Do not ask for a password (useful when using -hashes or if the user has no password).
-k
Uses Kerberos authentication instead of NTLM.
-aesKey key
AES key to use for Kerberos authentication.
-file FILE
Specifies a local file for upload/download operations.
-c COMMANDS
Executes one or more commands remotely on the specified share (e.g., 'dir', 'get file.txt', 'put local.txt').
-debug
Turns on debug output, providing more verbose information about the connection and operations.
-shell
Enters an interactive SMB shell after connecting.
DESCRIPTION
The smbclient.py script is a powerful Python-based command-line utility, part of the widely-used Impacket library. It functions as a robust SMB/CIFS client, enabling users to interact with Windows (and Samba) file shares and services over the network. Unlike the traditional C-based smbclient, smbclient.py is written entirely in Python, offering greater flexibility and programmatic control, especially for security-related tasks.
Its primary uses include listing available shares on a target, navigating remote file systems, uploading and downloading files, and in some contexts, facilitating remote command execution (often in conjunction with other Impacket tools like smbexec.py). It supports various authentication methods, including traditional username/password, NTLM hashes (for pass-the-hash attacks), and Kerberos, making it an indispensable tool for penetration testers, security researchers, and system administrators managing heterogeneous environments.
CAVEATS
- Requires the Impacket Python library to be installed and accessible. It is not a standard system utility.
- Primarily designed for security testing and network forensics; misuse can lead to unauthorized access or system disruption.
- Network connectivity to the target's SMB port (typically 445) is essential, and firewalls may block access.
- Proper authentication credentials or hashes are required for most operations.
INTERACTIVE SHELL MODE
Beyond executing single commands, smbclient.py can launch an interactive shell (via the -shell option). This allows users to browse directories, manage files (get, put, delete), and execute various SMB-specific commands in a session-based manner, similar to a traditional FTP client.
FLEXIBLE AUTHENTICATION
The script offers highly flexible authentication options. Users can provide a clear-text password, but critically, it also supports 'pass-the-hash' attacks using NTLM hashes (via the -hashes option) and Kerberos authentication (via the -k option), making it extremely versatile for different security scenarios where traditional password access might not be available or desired.
HISTORY
smbclient.py is a core component of the open-source Impacket library, which was originally developed by Core Security Technologies (now Corelight). The project began with a focus on providing Python implementations of various network protocols, including SMB/CIFS, for security research and penetration testing purposes. Over the years, Impacket and its tools like smbclient.py have continuously evolved to support new protocol features, security enhancements, and advanced authentication mechanisms (such as NTLMv2, pass-the-hash, and Kerberos), becoming a cornerstone utility in the offensive security community for interacting with Windows environments.