Shares (SMB/CIFS)
Tips to search and find useful information on Windows shares.
smbclient
Provides an interactive SMB shell on the target share accepting standard file system commands (man smbclient section OPERATIONS for details).
smbclient //<HOST>/<SHARE> -U <USERNAME>[%PASSWORD] -W [DOMAIN]
Do not specify any username or password and leave the password blank or add the -N flag to authenticate with a null session.
| Command | Description |
|---|---|
dir, cd, pwd |
Standard directory browsing commands. |
dir <pattern> |
List files matching pattern (use *) |
recurse <ON/OFF> |
Set file recursion for other operations (dir DOES NOT WORK WITH PATTERN, mget) |
get <remote file> [local file] |
Download a file |
mget <pattern> |
Download files that match pattern (use *) |
prompt <ON/OFF> |
Toggle prompting for filenames during mget operation |
more <file> |
Fetch and read file |
Tip
Use --pw-nt-hash and provide the NT hash instead of the password to authenticate using the pass-the-hash technique.
smbmap
Provides useful functions to automate the searching process. Do not specify any username or password to authenticate with a null session.
Enumerate all files
smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -R [SHARE] | tee [share.log]
I recommend to save the output to a file and perform search operations within vim or less. In fact, the file location is not displayed on the same line as the file name so grep is not as useful.
Search & download files
sudo smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -R [SHARE] -q -A [PATTERN]
Recursively browse the share and download all files that match the specified pattern.
Warning
This command always write downloaded file to smbmap install location. Thus, it might fails if the user has no permission to write to the install folder (run as root).
crackmapexec
Provides useful functions to automate the searching process. Use -u '' -p '' to authenticate with a null session.