How to use the command "smbmap" (with examples)
Smbmap is a tool that allows users to enumerate Samba share drives across an entire domain. It provides features such as enumerating hosts, checking SMB file permissions, locating and downloading files recursively, and uploading files through SMB.
Use case 1: Enumerate hosts with NULL sessions enabled and open shares
Code:
smbmap --host-file path/to/file
Motivation: This use case is useful when you want to identify hosts in a domain with NULL sessions enabled, which can be a security vulnerability. It also helps to find open shares.
Explanation:
--host-file
: Specifies the path to the file containing a list of hosts.path/to/file
: The path to the file containing a list of hosts.
Example output:
[+] Found open share 'sambashare' on IP: 192.168.1.10
[+] Found open share 'public' on IP: 192.168.1.10
[+] Found open share 'data' on IP: 192.168.1.20
Use case 2: Enumerate hosts and check SMB file permissions
Code:
smbmap --host-file path/to/file -u username -p password -q
Motivation: This use case is beneficial when you want to check the SMB file permissions of hosts in a domain. It allows you to identify any misconfigured permissions that may lead to unauthorized access.
Explanation:
-u
: Specifies the username for authentication.-p
: Specifies the password for authentication.-q
: Enables quiet mode, which reduces the verbosity of the output.
Example output:
[*] Enumerating hosts: ... (output truncated)
[+] IP: 192.168.1.10: [+] Perms: rwx, Desc: <No Access Mask>
[+] IP: 192.168.1.20: [+] Perms: rwx, Desc: Directory
Use case 3: Connect to an IP or hostname through SMB using a username and password
Code:
smbmap -u username -p password -d domain -H ip_or_hostname
Motivation: This use case is helpful when you want to establish a connection to a specific IP or hostname through SMB and perform operations on the SMB share.
Explanation:
-u
: Specifies the username for authentication.-p
: Specifies the password for authentication.-d
: Specifies the domain for authentication.-H
: Specifies the IP or hostname to connect to through SMB.
Example output:
[*] Domain: DOMAIN
[*] Username: username
[*] Password: password
[*] Target IP: 192.168.1.10
[+] IP: 192.168.1.10:
- SHARES: ('sambashare', 'public', 'data')
Use case 4: Locate and download files recursively
Code:
smbmap --host-file path/to/file -u username -p password -q -R --depth number --exclude sharename -A filepattern
Motivation: This use case is beneficial when you want to search for specific files across the Samba share drives and download them. The recursive search allows you to explore subdirectories.
Explanation:
-R
: Enables recursive search for files.--depth
: Specifies the maximum depth to search recursively.--exclude
: Excludes the specified share from the search.-A
: Specifies the file pattern to search for (supports regex).
Example output:
[*] Enumerating hosts: ... (output truncated)
[+] IP: 192.168.1.10: [+] Downloading file: /sambashare/files/file1.txt
[+] IP: 192.168.1.10: [+] Downloading file: /public/files/subfolder/file2.txt
Use case 5: Upload file through SMB using username and password
Code:
smbmap -u username -p password -d domain -H ip_or_hostname --upload path/to/file '/share_name/remote_filename'
Motivation: This use case is useful when you want to upload a file to a specific SMB share using SMB authentication. It enables easy file transfers to the remote share.
Explanation:
--upload
: Specifies the path to the file to upload.'/share_name/remote_filename'
: Specifies the target location and filename on the SMB share.
Example output:
[*] Domain: DOMAIN
[*] Username: username
[*] Password: password
[*] Target IP: 192.168.1.10
[+] IP: 192.168.1.10: [+] File uploaded successfully: /share_name/remote_filename
Conclusion:
The command “smbmap” provides numerous use cases for interacting with Samba share drives. It allows users to enumerate hosts, check SMB file permissions, locate and download files recursively, and upload files through SMB. By leveraging these features, users can efficiently manage SMB shares and perform various operations on them.