Tips to search and find useful information on Windows shares.
Provides an interactive SMB shell on the target share accepting standard file system commands (
man smbclient section
OPERATIONS for details).
smbclient //<HOST>/<SHARE> -U <USERNAME>[%PASSWORD] -W [DOMAIN]
Do not specify any username or password and leave the password blank or add the
-N flag to authenticate with a null session.
||Standard directory browsing commands.|
||List files matching pattern (use *)|
||Set file recursion for other operations (
||Download a file|
||Download files that match pattern (use *)|
||Toggle prompting for filenames during
||Fetch and read file|
–pw-nt-hash and provide the NT hash instead of the password to authenticate using the pass-the-hash technique.
Provides useful functions to automate the searching process. Do not specify any username or password to authenticate with a null session.
Enumerate all files
smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -R [SHARE] | tee [share.log]
I recommend to save the output to a file and perform search operations within
less. In fact, the file location is not displayed on the same line as the file name so
grep is not as useful.
Search & download files
sudo smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -R [SHARE] -q -A [PATTERN]
Recursively browse the share and download all files that match the specified pattern.
This command always write downloaded file to
smbmap install location. Thus, it might fails if the user has no permission to write to the install folder (run as root).
Provides useful functions to automate the searching process. Use
-u '' -p '' to authenticate with a null session.