Enumerate Shares (SMB/CIFS)

Enumerate Windows shares and their permissions (see also exploit/windows/shares for tips on exploiting shares).


smbclient

smbclient -L //[HOST]

In order to find out a share permission, try to connect to the desired share. Do not specify any username and leave the password blank or add the -N flag to authenticate with a null session.

smbclient //<HOST>/<SHARE> -U <USERNAME>[%PASSWORD] -W [DOMAIN]

Tip

Use --pw-nt-hash and provide the NT hash instead of the password to authenticate using the pass-the-hash technique.

Result Description
smb: \> Connected, you have at least READ access.
NT_STATUS_ACCESS_DENIED NO ACCESS

If connected, try to write a file on the remote file system to check for WRITE access:

smb: \> put test.txt
smb: \> ls test.txt

If successful, don’t forget to remove the file:

smb: \> rm test.txt

net view

net view \\[HOST] /all

In order to use credentials other than the current Windows session, first start a command prompt with other credentials:

runas /netonly /user:[user] cmd.exe

smbmap

smbmap.py -H [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN]

Do not provide any username or password to authenticate with a null session.

crackmapexec

crackmapexec [HOST/CIDR] -u [USERNAME] -p [PASSWORD] -d [DOMAIN] --shares

Use -u '' -p '' to authenticate with a null session.

Tip

Specify a network range to enumerate shares on multiple hosts or specify a file containing a list of targets.