Enumerate Shares (SMB/CIFS)
Enumerate Windows shares and their permissions (see also exploit/windows/shares for tips on exploiting shares).
smbclient
smbclient -L //[HOST]
In order to find out a share permission, try to connect to the desired share. Do not specify any username and leave the password blank or add the -N flag to authenticate with a null session.
smbclient //<HOST>/<SHARE> -U <USERNAME>[%PASSWORD] -W [DOMAIN]
Tip
Use --pw-nt-hash and provide the NT hash instead of the password to authenticate using the pass-the-hash technique.
| Result | Description |
|---|---|
smb: \> |
Connected, you have at least READ access. |
NT_STATUS_ACCESS_DENIED |
NO ACCESS |
If connected, try to write a file on the remote file system to check for WRITE access:
smb: \> put test.txt
smb: \> ls test.txt
If successful, don’t forget to remove the file:
smb: \> rm test.txt
net view
net view \\[HOST] /all
In order to use credentials other than the current Windows session, first start a command prompt with other credentials:
runas /netonly /user:[user] cmd.exe
smbmap
smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN]
Do not provide any username or password to authenticate with a null session.
crackmapexec
crackmapexec [HOST/CIDR] -u [USERNAME] -p [PASSWORD] -d [DOMAIN] --shares
Use -u '' -p '' to authenticate with a null session.
Tip
Specify a network range to enumerate shares on multiple hosts or specify a file containing a list of targets.