smbmap

SMB enumeration tool.

TLDR

Enumerate hosts with NULL sessions enabled and open shares

$ smbmap --host-file [path/to/file]
copy


Enumerate hosts and check SMB file permissions
$ smbmap --host-file [path/to/file] -u [username] -p [password] -q
copy


Connect to an ip or hostname through smb using a username and password
$ smbmap -u [username] -p [password] -d [domain] -H [ip_or_hostname]
copy


Locate and download files [R]ecursively up to N levels depth, searching for filename pattern (regex), and excluding certain shares
$ smbmap --host-file [path/to/file] -u [username] -p [password] -q -R --depth [number] --exclude [sharename] -A [filepattern]
copy


Upload file through smb using username and password
$ smbmap -u [username] -p [password] -d [domain] -H [ip_or_hostname] --upload [path/to/file] '[/share_name/remote_filename]'
copy

SYNOPSIS

smbmap [options]

DESCRIPTION

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

OPTIONS

Main arguments:

-H HOST

IP of host

--host-file FILE

File containing a list of hosts

-u USERNAME

Username, if omitted null session assumed

-p PASSWORD

Password or NTLM hash

-s SHARE

Specify a share (default C$), ex 'C$'

-d DOMAIN

Domain name (default WORKGROUP)

-P PORT

SMB port (default 445)

Command Execution:

Options for executing commands on the specified host

-x COMMAND

Execute a command ex. 'ipconfig /all'

Filesystem Search:

Options for searching/enumerating the filesystem of the specified host

-L

List all drives on the specified host

-R [PATH]

Recursively list dirs, and files (no share\path lists ALL shares), ex. 'C$\Finance'

-r [PATH]

List contents of directory, default is to list root of all shares, ex. -r 'C$\Documents and Settings\Administrator\Documents'

-A PATTERN

Define a file name pattern (regex) that auto downloads a file on a match (requires -R or -r), not case sensitive, ex '(web|global).(asax|config)'

-q

Disable verbose output. Only shows shares you have READ/WRITE on, and suppresses file listing when performing a search (-A).

--depth DEPTH

Traverse a directory tree to a specific depth

File Content Search:

Options for searching the content of files

-F PATTERN

File content search, -F '[Pp]assword' (requries admin access to execute commands, and powershell on victim host)

--search-path PATH

Specify drive/path to search (used with -F, default C:\Users), ex 'D:\HR\'

Filesystem interaction:

Options for interacting with the specified host's filesystem

--download PATH

Download a file from the remote system, ex.'C$\temp\passwords.txt'

--upload SRC DST

Upload a file to the remote system ex. '/tmp/payload.exe C$\temp\payload.exe'

--delete PATH TO FILE

Delete a remote file, ex. 'C$\temp\msf.exe'

--skip

Skip delete file confirmation prompt

Optional arguments:

-h, --help

show help message and exit

EXAMPLES

smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

AUTHOR

smbmap was developed by ShawnDEvans <ShawnDEvans@gmail.com>

This manual page was written by Samuel Henrique <samueloph@debian.org> for the Debian project, it was based on smbmap -h output and can be used by other projects as well.

Copied to clipboard