Shares (SMB/CIFS)

Tips to search and find useful information on Windows shares.


smbclient

Provides an interactive SMB shell on the target share accepting standard file system commands (man smbclient section OPERATIONS for details).

smbclient //<HOST>/<SHARE> -U <USERNAME>[%PASSWORD] -W [DOMAIN]

Do not specify any username or password and leave the password blank or add the -N flag to authenticate with a null session.

Command Description
dir, cd, pwd Standard directory browsing commands.
dir <pattern> List files matching pattern (use *)
recurse <ON/OFF> Set file recursion for other operations (dir DOES NOT WORK WITH PATTERN, mget)
get <remote file> [local file] Download a file
mget <pattern> Download files that match pattern (use *)
prompt <ON/OFF> Toggle prompting for filenames during mget operation
more <file> Fetch and read file

Tip

Use --pw-nt-hash and provide the NT hash instead of the password to authenticate using the pass-the-hash technique.

smbmap

Provides useful functions to automate the searching process. Do not specify any username or password to authenticate with a null session.

Enumerate all files
smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -R [SHARE] | tee [share.log]

I recommend to save the output to a file and perform search operations within vim or less. In fact, the file location is not displayed on the same line as the file name so grep is not as useful.

Search & download files
sudo smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -R [SHARE] -q -A [PATTERN]

Recursively browse the share and download all files that match the specified pattern.

Warning

This command always write downloaded file to smbmap install location. Thus, it might fails if the user has no permission to write to the install folder (run as root).

crackmapexec

Provides useful functions to automate the searching process. Use -u '' -p '' to authenticate with a null session.