smbmap

Enumerate hosts with NULL sessions enabled and open shares

$ smbmap --host-file [path/to/file]

$ smbmap [[-u|--username]] [username] --prompt -H [ip]

$ smbmap [[-u|--username]] [username] --prompt -H [ip] -x [command]

$ smbmap --host-file [path/to/file] [[-u|--username]] [username] [[-p|--password]] [password] -q

$ smbmap [[-u|--username]] [username] [[-p|--password]] [password] -d [domain] -H [ip_or_hostname]

$ smbmap --host-file [path/to/file] [[-u|--username]] [username] [[-p|--password]] [password] -q -R --depth [number] --exclude [sharename] -A [filepattern]

$ smbmap [[-u|--username]] [username] [[-p|--password]] [password] -d [domain] -H [ip_or_hostname] --upload [path/to/file] '[/share_name/remote_filename]'

$ smbmap [[-u|--username]] [username] --prompt -H [ip] -R -F [pattern]

smbmap [OPTIONS] TARGET
smbmap [OPTIONS] -H TARGETS_FILE

TARGET
    The IP address or hostname of the target SMB server to scan.

-H TARGETS_FILE, --host-file TARGETS_FILE
    Specifies a file containing a list of target IP addresses or hostnames, one per line, to scan.

-u USERNAME, --user USERNAME
    Provides the username for authentication to the SMB server. If omitted, a NULL session (anonymous) attempt is made.

-p PASSWORD, --password PASSWORD
    Specifies the password for authentication. If omitted and a username is provided, it prompts for the password or attempts a blank password.

-d DOMAIN, --domain DOMAIN
    Specifies the domain for authentication (e.g., WORKGROUP or a specific Windows domain).

-P PORT, --port PORT
    Sets the destination TCP port for the SMB connection (default is 445).

-r, --recursive
    Recursively lists the contents of identified readable shares. This can be time-consuming on large shares.

-R SHARE, --recursive-share SHARE
    Recursively lists the contents of a specific share, rather than all shares.

-s SHARE, --share SHARE
    Specifies a particular share to interact with (e.g., for file operations or command execution) instead of listing all shares.

-x COMMAND, --exec COMMAND
    Attempts to execute a specified command on a writeable share. This often requires write permissions and might use methods like WMIC or psexec-like functionality for remote execution.

-U LOCAL_PATH, --upload LOCAL_PATH
    Specifies the local path of a file to upload to the remote SMB share. Requires -s and -D.

-D REMOTE_PATH, --download REMOTE_PATH
    Specifies the remote path of a file to download from the SMB share, or the remote destination for an upload. Requires -s and -U (for upload) or a local destination for download.

-q, --quiet
    Suppresses output messages, displaying only critical information or errors.

-v, --verbose
    Increases the verbosity level of output, providing more detailed information about the scan process.

smbmap is a powerful Python-based tool designed for enumerating and interacting with Server Message Block (SMB) shares on remote hosts. It provides a quick and efficient way to identify accessible shares, determine their permissions (read, write, list), and perform various operations like listing directory contents, downloading files, uploading files, and executing commands (if writeable shares allow).

Often utilized in network reconnaissance and penetration testing, smbmap helps security professionals and administrators discover exposed data or potential vulnerabilities related to misconfigured SMB shares. It supports authentication via username/password, domain credentials, and can be used to scan single targets or multiple targets from a file. Its straightforward interface makes it a go-to utility for gaining initial insights into SMB services on a network.

Firewall rules or network access controls on the target system can prevent smbmap from successfully connecting or enumerating shares.
Authentication attempts, especially brute-force or spraying, can lead to account lockouts on the target domain.
The command execution functionality (-x) relies on specific conditions, such as writeable shares and potentially the availability of certain remote execution methods, which might not always be present or allowed.
Antivirus or intrusion detection systems (IDS/IPS) may flag smbmap's activity as suspicious, especially during extensive scans or attempts at command execution.

smbmap clearly indicates the permissions for each discovered share, typically showing 'READ', 'WRITE', and 'LIST' capabilities. This immediate visual feedback helps users quickly assess potential data exposure or opportunities for interaction.

Beyond mere enumeration, smbmap provides direct capabilities for file interaction. Users can download specific files from readable shares using the -D option, or upload files to writeable shares using the -U option, facilitating data exfiltration or payload delivery.

When specific conditions are met on a writeable share (e.g., misconfigurations allowing certain remote service interactions), smbmap can attempt to execute arbitrary commands on the target system using the -x option. This feature is highly potent for gaining a foothold or further compromising a system.

smbmap is part of the impacket library, a powerful collection of Python classes developed by SecureAuth (formerly Core Security). impacket focuses on providing programmatic access to network protocols, particularly SMB/MIME, and has become a staple in the cybersecurity community for network penetration testing, forensics, and vulnerability research. smbmap itself emerged as a dedicated tool for SMB share enumeration, building upon impacket's robust SMB protocol implementation. Its development has been driven by the need for a reliable and flexible utility to quickly assess the security posture of SMB services.

smbclient(1), nmblookup(1), enum4linux(1), crackmapexec(1), rpcclient(1)