smbmap
SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.
Usage
Usage: smbmap [options]...
Options
Main arguments
| Option | Description |
|---|---|
-H HOST | IP of host |
--host-file FILE | File containing a list of hosts |
-u USERNAME | Username, if omitted null session assumed |
-p PASSWORD | Password or NTLM hash |
--prompt | Prompt for a password |
-s SHARE | Specify a share |
-d DOMAIN | Domain name (default WORKGROUP) |
-P PORT | SMB port (default 445) |
-v | Return the OS version of the remote host |
--admin | Just report if the user is an admin |
--no-banner | Removes the banner from the top of the output |
--no-color | Removes the color from output |
--no-update | Removes the “Working on it” message |
--timeout SCAN_TIMEOUT | Set port scan socket timeout. Default is .5 seconds |
Command Execution
Options for executing commands on the specified host
| Option | Description |
|---|---|
-x COMMAND | Execute a command ex. ipconfig /all |
--mode CMDMODE | Set the execution method, wmi or psexec, default wmi |
Shard drive Search
Options for searching/enumerating the share of the specified host(s)
| Option | Description |
|---|---|
-L | List all drives on the specified host, requires ADMIN rights. |
-r [PATH] | Recursively list dirs and files (no share\path lists the root of ALL shares), ex. ‘email/backup’ |
-A PATTERN | Define a file name pattern (regex) that auto downloads a file on a match (requires -r), not case sensitive, |
-g FILE | Output to a file in a grep friendly format, used with -r (otherwise it outputs nothing) |
--csv FILE | Output to a CSV file |
--dir-only | List only directories, ommit files. |
--no-write-check | Skip check to see if drive grants WRITE access. |
-q | Quiet verbose output. Only shows shares you have READ or WRITE on, and suppresses file listing when performing a search. |
--depth DEPTH | Traverse a directory tree to a specific depth. (Default: 5) |
--exclude SHARE [SHARE ...] | Exclude share(s) from searching and listing |
File Content Search
Options for searching the content of files (must run as root), kind of experimental
| Option | Description |
|---|---|
-F PATTERN | File content search, -F '[Pp]assword' (requires admin access to execute commands, and PowerShell on victim host) |
--search-path PATH | Specify drive/path to search |
--search-timeout TIMEOUT | Specifcy a timeout (in seconds) before the file search job gets killed. Default is 300 seconds. |
Filesystem interaction
Options for interacting with the specified host’s filesystem
| Option | Description |
|---|---|
--download PATH | Download a file from the remote system |
--upload SRC DST | Upload a file to the remote system |
--delete PATH TO FILE | Delete a remote file |
--skip | Skip delete file confirmation prompt |