Enumerate Shares (SMB/CIFS)
Enumerate Windows shares and their permissions (see also exploit/windows/shares for tips on exploiting shares).
smbclient -L //[HOST]
In order to find out a share permission, try to connect to the desired share. Do not specify any username and leave the password blank or add the
-N flag to authenticate with a null session.
smbclient //<HOST>/<SHARE> -U <USERNAME>[%PASSWORD] -W [DOMAIN]
||Connected, you have at least READ access.|
If connected, try to write a file on the remote file system to check for WRITE access:
smb: \> put test.txt smb: \> ls test.txt
If successful, don't forget to remove the file:
smb: \> rm test.txt
net view \\[HOST] /all
In order to use credentials other than the current Windows session, first start a command prompt with other credentials:
runas /netonly /user:[user] cmd.exe
smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN]
Do not provide any username or password to authenticate with a null session.
crackmapexec [HOST/CIDR] -u [USERNAME] -p [PASSWORD] -d [DOMAIN] --shares
-u '' -p '' to authenticate with a null session.