Linux cli command smbmap

➡ A Linux man page (short for manual page) is a form of software documentation found on Linux and Unix-like operating systems. This man-page explains the command smbmap and provides detailed information about the command smbmap, system calls, library functions, and other aspects of the system, including usage, options, and examples of _. You can access this man page by typing man followed by the smbmap.

  4 minute read  

NAME 🖥️ smbmap 🖥️

SMB enumeration tool

SYNOPSIS

smbmap [-h] (-H HOST | –host-file FILE) [-u USERNAME] [-p PASSWORD |–prompt] [-s SHARE] [-d DOMAIN] [-P PORT] [-v] [–admin] [–no-banner] [–no-color] [–no-update] [-x COMMAND][–mode CMDMODE] [-L | -r [PATH]] [-g FILE | –csv FILE] [–dir-only][–no-write-check] [-q] [–depth DEPTH] [–exclude SHARE [SHARE …]] [-A PATTERN] [-F PATTERN] [–search-path PATH] [–search-timeout TIMEOUT] [–download PATH] [–upload SRC DST] [–delete PATH TO FILE] [–skip]

DESCRIPTION

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

OPTIONS

Main arguments:

-H HOST
IP or FQDN

–host-file FILE
File containing a list of hosts

-u USERNAME, –username USERNAME
Username, if omitted null session assumed

-p PASSWORD, –password PASSWORD
Password or NTLM hash, format is LMHASH:NTHASH

–prompt
Prompt for a password

-s SHARE
Specify a share (default C$), ex ‘C$’

-d DOMAIN
Domain name (default WORKGROUP)

-P PORT
SMB port (default 445)

-v, –version
Return the OS version of the remote host

–signing
Check if host has SMB signing disabled, enabled, or required

–admin
Just report if the user is an admin

–no-banner
Removes the banner from the top of the output

–no-color
Removes the color from output

–no-update
Removes the “Working on it” message

–timeout SCAN_TIMEOUT
Set port scan socket timeout. Default is .5 seconds

Kerberos settings:

-k, –kerberos
Use Kerberos authentication

–no-pass
Use CCache file (export KRB5CCNAME=’~/current.ccache')

–dc-ip IP or Host
IP or FQDN of DC

Command Execution:

Options for executing commands on the specified host

-x COMMAND
Execute a command ex. ‘ipconfig /all’

–mode CMDMODE
Set the execution method, wmi or psexec, default wmi

Options for searching/enumerating the filesystem of the specified host

-L
List all drives on the specified host, requires ADMIN rights.

-r [PATH]
Recursively list dirs and files (no shareath lists the root of ALL shares), ex. ’email/backup'

-g FILE
Output to a file in a grep friendly format, used with -r (otherwise it outputs nothing), ex -g grep_out.txt

–csv FILE
Output to a CSV file, ex –csv shares.csv

–dir-only
List only directories, omit files

–no-write-check
Skip check to see if drive grants WRITE access

-q
Quiet verbose output. Only shows shares you have READ or WRITE on, and suppresses file listing when performing a search (-A).

–depth DEPTH
Traverse a directory tree to a specific depth. Default is 1 (root node).

–exclude SHARE [SHARE …]
Exclude share(s) from searching and listing, ex. –exclude ADMIN$ C$'

-A PATTERN
Define a file name pattern (regex) that auto downloads a file on a match (requires -r), not case sensitive, ex ‘(web|global).(asax|config)’

File Content Search:

Options for searching the content of files (must run as root), kind of experimental

-F PATTERN
File content search, -F ‘[Pp]assword’ (requries admin access to execute commands, and powershell on victim host)

–search-path PATH
Specify drive/path to search (used with -F, default C:\Users), ex ‘D:\HR\

–search-timeout TIMEOUT
Specifcy a timeout (in seconds) before the file search job gets killed. Default is 300 seconds

Filesystem interaction:

Options for interacting with the specified host’s filesystem

–download PATH
Download a file from the remote system, ex.‘C$ emp\passwords.txt’

–upload SRC DST
Upload a file to the remote system ex. ‘/tmp/payload.exe C$ emp\payload.exe’

–delete PATH_TO_FILE
Delete a remote file, ex. ‘C$ emp\msf.exe’

–skip
Skip delete file confirmation prompt

EXAMPLES:

smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
smbmap -u jsmith -p ‘aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d’ -H 172.16.0.20
smbmap -u ‘apadmin’ -p ‘asdf1234!’ -d ACME -H 10.1.3.30 -x ’net group “Domain Admins” /domain’

AUTHOR

smbmap was developed by ShawnDEvans <[email protected]>

This manual page was written by Samuel Henrique <[email protected]> for the Debian project, it was based on smbmap -h output and can be used by other projects as well.

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

  █║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌

              ██╗ ██╗ ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
             ████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
             ╚██╔═██╔╝██║  ██║██║   ██║ ╚███╔╝ █████╗  ██║  ██║
             ████████╗██║  ██║██║   ██║ ██╔██╗ ██╔══╝  ██║  ██║
             ╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
              ╚═╝ ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═════╝

               █║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░