Enumerate Shares (SMB/CIFS)

Enumerate Windows shares and their permissions (see also exploit/windows/shares for tips on exploiting shares).


smbclient -L //[HOST]

In order to find out a share permission, try to connect to the desired share. Do not specify any username and leave the password blank or add the -N flag to authenticate with a null session.



Use --pw-nt-hash and provide the NT hash instead of the password to authenticate using the pass-the-hash technique.

Result Description
smb: \> Connected, you have at least READ access.

If connected, try to write a file on the remote file system to check for WRITE access:

smb: \> put test.txt
smb: \> ls test.txt

If successful, don’t forget to remove the file:

smb: \> rm test.txt

net view

net view \\[HOST] /all

In order to use credentials other than the current Windows session, first start a command prompt with other credentials:

runas /netonly /user:[user] cmd.exe


smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN]

Do not provide any username or password to authenticate with a null session.


crackmapexec [HOST/CIDR] -u [USERNAME] -p [PASSWORD] -d [DOMAIN] --shares

Use -u '' -p '' to authenticate with a null session.


Specify a network range to enumerate shares on multiple hosts or specify a file containing a list of targets.