/ Reconnaissance & Enumeration, Uncategorized / By

smbclient for Pentesters: Accessing and Enumerating SMB Shares

Category: Pentesting Tools & Techniques
Tool Focus: SMB Enumeration, Looting, Anonymous Access

What Is smbclient?

smbclient is a Linux command-line utility from the Samba suite that lets you interact with SMB (Server Message Block) services — similar to FTP.

It allows you to:

  • List available shares on a target
  • Connect to specific shares
  • Download or upload files
  • Test for anonymous access

When Should You Use smbclient?

Use smbclient early in your internal or AD pentest when:

  • You’ve found TCP port 445 or 139 open
  • You’re checking for anonymous or weak SMB access
  • You want to loot files, scripts, backups, or config dumps
  • You’re following up on Nmap/CrackMapExec results

It’s an essential post-scan tool for initial access, enumeration, and credential hunting.

Installing smbclient

If you’re on Kali or Parrot, it’s pre-installed. Otherwise:

sudo apt install smbclient -y

Usage and Examples

1. List SMB Shares (Anonymous)

smbclient -L //<target-ip> -N
# -L = list shares
# -N = no password (anonymous)

Example:

smbclient -L //192.168.56.101 -N

If anonymous access is allowed, this will show all available shares.

2. List Shares with Credentials

smbclient -L //<target-ip> -U <username>

It will prompt for a password.

Example:

smbclient -L //192.168.56.101 -U administrator

3. Connect to a Share (Anonymous)

smbclient //<target-ip>/<sharename> -N

Example:

smbclient //192.168.56.101/anonymous -N

This opens an interactive shell like FTP:

smb: \> ls

4. Download Files

Once inside a share:

get <filename>     # Download a file

Example:

smb: \> get secrets.txt

5. Upload Files

put <filename>     # Upload a file

Useful for dropping webshells or tools in writable shares.

6. Browse, Navigate & Loot

ls                  # List contents
cd <folder>         # Change directory
pwd                 # Print working directory
exit                # Quit

Real-World Attack Path

You Nmap a target and see port 445 is open. You try:

smbclient -L //192.168.56.101 -N

It lists:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
public          Disk      Shared folder

You connect:

smbclient //192.168.56.101/public -N

You find backup.zip, download it:

get backup.zip

You crack the zip password, find a .pfx file with credentials. You now have initial access or a pivot to escalation.

Pro Tips

  • Always check anonymous access first.
  • Look for writable shares like public, netlogon, or SYSVOL.
  • Use enum4linux, smbmap, and crackmapexec to complement smbclient.
  • Target shares like SYSVOL and NETLOGON for potential GPP files, scripts, or stored credentials.

Related Posts

Scroll to Top