Skip to content

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

Source: https://github.com/ShawnDEvans/smbmap

SMBMap Homepage

Examples:

$ smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1

$ smbmap -u jsmith -p ‘aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d’ -H 172.16.0.20

$ smbmap -u ‘apadmin’ -p ‘asdf1234!’ -d ACME -h 10.1.3.30 -x ‘net group “Domain Admins” /domain’

smbmap Usage Examples

Check for shares on the specified host with the username and password provided.

root@kali:~# smbmap -u victim -p s3cr3t -H 192.168.86.61

[+] Finding open SMB ports….

[+] User SMB session establishd on 192.168.86.61…

[+] IP: 192.168.86.61:445   Name: win7-x86.lan

    Disk                                                  Permissions

    —-                                                    ———–

    ADMIN$                                          NO ACCESS

    C$                                                     NO ACCESS

    IPC$                                                  NO ACCESS

    Users                                                READ ONLY

Find a NULL Session

$ ./smbmap.py –host-file smb-hosts.txt

Command arguments:

–host-file: file containing a list of hosts, one host/IP per line

Locate and Download Potentially Sensitive Files

$ ./smbmap.py –host-file smb-hosts.txt u ‘jsmith’ -p ‘Spring!2020’ -q -R –depth 2 –exclude ADMIN$ IPC -A ‘passw’

Command arguments:

–host-file: file containing a list of hosts, one host/IP per line.

-u: account to authenticate with

-p: password for account

-q: quiet the verbosity of the output, excludes shares with “no access” or listing drive contents when performing a search

-R: perform a recursive search

–depth: recursive traversal depth, avoid the rabbit holes

–exclude: exclude specific shares that rarely contain interesting files

-A: auto download flag that uses a regular expression pattern to match against filenames

Compromise a Web Server

$ ./smbmap.py –host-file smb-hosts.txt -u ‘jsmith’ -p ‘Spring!2020’ -d ‘ACME’ -q -R –depth 3 –exclude ADMIN$ IPC$ -A ‘(web|server|global|index|login|logout|auth|httpd|config).(xml|config|conf|asax|aspx|php|asp|jsp|html)’

Command arguments:

–host-file: file containing a list of hosts, one host/IP per line.

-u: account to authenticate with

-p: password for account

-q: quiet the verbosity of the output, excludes shares with “no access” or listing drive contents when performing a search

-R: perform a recursive search

–depth: recursive traversal depth, avoid the rabbit holes

–exclude: exclude specific shares that rarely contain interesting files

-A: auto download flag that uses a regular expression pattern to match against filenames

Checking SMB Share Permissions

$ ./smbmap.py –host-file test.txt -u administrator -p asdf1234 -q

Command arguments:

–host-file: file containing a list of hosts, one host/IP per line

-u: account to authenticate with

-p: password for account

-q: quiet the verbosity of the output, excludes shares with “no access” or listing drive contents when performing a search

Uploading a File

$ ./smbmap.py -H 192.168.86.20 -u ‘administrator’ -p ‘asdf1234’ -upload websell.php ‘htdocs\nopsec.php’

Command arguments :

-H: IP address of target host

-u: account to authenticate with

-p: password for account

-d: domain to authenticate against

–upload: specify the local source and remote destination of the file being uploaded

Perform a File Content Search

$ sudo ./smbmap.py –host-file test.txt -u administrator -p asdf1234 -F password

Command arguments:

–host-file: file containing a list of hosts, one host/IP per line.

-u: account to authenticate with

-p: password for account

-F: regular expression pattern to search for in files

Complete Options:

root@kali:~# smbmap -h

usage: smbmap.py [-h] (-H HOST | –host-file FILE) [-u USERNAME] [-p PASSWORD]

                 [-s SHARE] [-d DOMAIN] [-P PORT] [-x COMMAND] [-L | -R [PATH]

                 | -r [PATH]] [-A PATTERN] [-q] [-F PATTERN]

                 [–search-path PATH] [–download PATH] [–upload SRC DST]

                 [–delete PATH TO FILE] [–skip]

SMBMap – Samba Share Enumerator | Shawn Evans – ShawnDEvans@gmail.com

optional arguments:

  -h, –help            show this help message and exit

Main arguments:

  -H HOST               IP of host

  –host-file FILE      File containing a list of hosts

  -u USERNAME           Username, if omitted null session assumed

  -p PASSWORD           Password or NTLM hash

  -s SHARE              Specify a share (default C$), ex ‘C$’

  -d DOMAIN             Domain name (default WORKGROUP)

  -P PORT               SMB port (default 445)

Command Execution:

  Options for executing commands on the specified host

  -x COMMAND            Execute a command ex. ‘ipconfig /all’

Filesystem Search:

  Options for searching/enumerating the filesystem of the specified host

  -L                    List all drives on the specified host

  -R [PATH]             Recursively list dirs, and files (no share\path lists

                        ALL shares), ex. ‘C$\Finance’

  -r [PATH]             List contents of directory, default is to list root of

                        all shares, ex. -r ‘C$\Documents and

                        Settings\Administrator\Documents’

  -A PATTERN            Define a file name pattern (regex) that auto downloads

                        a file on a match (requires -R or -r), not case

                        sensitive, ex ‘(web|global).(asax|config)’

  -q                    Disable verbose output. Only shows shares you have

                        READ/WRITE on, and supresses file listing when

                        performing a search (-A).

File Content Search:

  Options for searching the content of files

  -F PATTERN            File content search, -F ‘[Pp]assword’ (requies admin

                        access to execute commands, and powershell on victim

                        host)

  –search-path PATH    Specify drive/path to search (used with -F, default

                        C:\Users), ex ‘D:\HR\’

Filesystem interaction:

  Options for interacting with the specified host’s filesystem

  –download PATH       Download a file from the remote system,

                        ex.’C$\temp\passwords.txt’

  –upload SRC DST      Upload a file to the remote system ex.

                        ‘/tmp/payload.exe C$\temp\payload.exe’

  –delete PATH TO FILE

                        Delete a remote file, ex. ‘C$\temp\msf.exe’

  –skip                Skip delete file confirmation prompt