Information Gatheringsmbsambaenumerationsharespenetration testingkerberospass-the-hash

smbmap

SMBMap is a handy SMB enumeration tool that allows users to enumerate Samba share drives across an entire domain. It lists share drives, drive permissions, share contents, and supports upload/download functionality, file name auto-download pattern matching, and remote command execution.

Description

SMBMap was designed with penetration testing in mind to simplify searching for potentially sensitive data across large networks. It enumerates Samba shares, checks permissions, and provides features like pass-the-hash support, file upload/download/delete, permission enumeration compatible with Metasploit, remote command execution, distributed file content searching, file name matching with auto-download, and SMB signing detection.

Use cases include listing available shares and their permissions on target hosts, recursively exploring share contents, searching for specific file patterns or content, executing commands remotely, and interacting with filesystems via upload, download, or delete operations. It supports Kerberos authentication and works with IPs, hostnames, or CIDR ranges from host files.

The tool requires admin rights for advanced features like drive listing or command execution and is particularly useful in Windows environments for identifying writable shares and potential data exfiltration points.

How It Works

SMBMap establishes SMB sessions over port 445 to enumerate shares, permissions, and contents using SMB protocols. It supports authenticated sessions with usernames/passwords or NTLM hashes (pass-the-hash), null sessions, and Kerberos. Features like recursive listing, file content search via PowerShell execution, and filesystem operations leverage SMB file access and remote command execution methods (WMI or PSEXEC). It detects SMB signing, server versions, and handles distributed searches across hosts.

Installation

bash

sudo apt install smbmap

Flags

-H HOSTIP or FQDN of the target host

--host-file FILEFile containing a list of hosts

-u USERNAMEUsername, if omitted null session assumed

-p PASSWORDPassword or NTLM hash, format is LMHASH:NTHASH

--promptPrompt for a password

-s SHARESpecify a share (default C$), ex 'C$'

-d DOMAINDomain for authentication

-k, --kerberosUse Kerberos authentication

-x COMMANDExecute a command ex. 'ipconfig /all'

-LList all drives on the specified host, requires ADMIN rights

-r [PATH]Recursively list dirs and files

-F PATTERNFile content search, -F '[Pp]assword'

--download PATHDownload a file from the remote system

--upload SRC DSTUpload a file to the remote system

--delete PATH TO FILEDelete a remote file

Examples

Check for shares on the specified host with the username and password provided

smbmap -u victim -p s3cr3t -H 192.168.86.61

Enumerate shares with username, password, domain, and host

smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1

Enumerate shares using NTLM hash (pass-the-hash)

smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20

Execute a remote command to list Domain Admins group

smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

List all drives on the host (requires admin rights)

smbmap -u jsmith -p password1 -H 192.168.0.1 -L

Recursively list directories and files in a share path

smbmap -u jsmith -p password1 -H 192.168.0.1 -r email/backup

Search for files containing 'password' or 'Password' (requires admin access)

smbmap -u admin -p password -H 192.168.0.1 -F '[Pp]assword'

Updated 2026-04-16kali.org ↗