Scroll to navigation

SMBMAP(1) User Commands SMBMAP(1)

NAME

smbmap - SMB enumeration tool

SYNOPSIS

smbmap [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD |--prompt] [-s SHARE] [-d DOMAIN] [-P PORT] [-v] [--admin] [--no-banner] [--no-color] [--no-update] [-x COMMAND][--mode CMDMODE] [-L | -r [PATH]] [-g FILE | --csv FILE] [--dir-only][--no-write-check] [-q] [--depth DEPTH] [--exclude SHARE [SHARE ...]] [-A PATTERN] [-F PATTERN] [--search-path PATH] [--search-timeout TIMEOUT] [--download PATH] [--upload SRC DST] [--delete PATH TO FILE] [--skip]

DESCRIPTION

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

OPTIONS

Main arguments:

IP or FQDN
File containing a list of hosts
Username, if omitted null session assumed
Password or NTLM hash, format is LMHASH:NTHASH
Prompt for a password
Specify a share (default C$), ex 'C$'
Domain name (default WORKGROUP)
SMB port (default 445)
Return the OS version of the remote host
Check if host has SMB signing disabled, enabled, or required
Just report if the user is an admin
Removes the banner from the top of the output
Removes the color from output
Removes the "Working on it" message
Set port scan socket timeout. Default is .5 seconds

Kerberos settings:

Use Kerberos authentication
Use CCache file (export KRB5CCNAME='~/current.ccache')
IP or FQDN of DC

Command Execution:

Options for executing commands on the specified host
Execute a command ex. 'ipconfig /all'
Set the execution method, wmi or psexec, default wmi

Shard drive Search:

Options for searching/enumerating the filesystem of the specified host
List all drives on the specified host, requires ADMIN rights.
Recursively list dirs and files (no shareath
lists the root of ALL shares), ex. 'email/backup'
Output to a file in a grep friendly format, used with -r (otherwise it outputs nothing), ex -g grep_out.txt
Output to a CSV file, ex --csv shares.csv
List only directories, omit files
Skip check to see if drive grants WRITE access
Quiet verbose output. Only shows shares you have READ or WRITE on, and suppresses file listing when performing a search (-A).
Traverse a directory tree to a specific depth. Default is 1 (root node).
Exclude share(s) from searching and listing, ex. --exclude ADMIN$ C$'
Define a file name pattern (regex) that auto downloads a file on a match (requires -r), not case sensitive, ex '(web|global).(asax|config)'

File Content Search:

Options for searching the content of files (must run as root), kind of experimental
File content search, -F '[Pp]assword' (requries admin access to execute commands, and powershell on victim host)
Specify drive/path to search (used with -F, default C:\Users), ex 'D:\HR\'
Specifcy a timeout (in seconds) before the file search job gets killed. Default is 300 seconds

Filesystem interaction:

Options for interacting with the specified host's filesystem
Download a file from the remote system, ex.'C$\temp\passwords.txt'
Upload a file to the remote system ex. '/tmp/payload.exe C$\temp\payload.exe'
Delete a remote file, ex. 'C$\temp\msf.exe'
Skip delete file confirmation prompt

EXAMPLES:

smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

AUTHOR

smbmap was developed by ShawnDEvans <ShawnDEvans@gmail.com>

This manual page was written by Samuel Henrique <samueloph@debian.org> for the Debian project, it was based on smbmap -h output and can be used by other projects as well.

August 2018 smbmap 1.0.5