Skip to content

smbclient - A tool for interacting with smb shares

See Quick Cheat sheet for smbclient.

smbclient installation

sudo apt-get install smbclient

smbclient configuration

Default settings are in /etc/samba/smb.conf.

 cat /etc/samba/smb.conf | grep -v "#\|\;"
Setting Description
[sharename] The name of the network share.
workgroup = WORKGROUP/DOMAIN Workgroup that will appear when clients query.
path = /path/here/ The directory to which user is to be given access.
server string = STRING The string that will show up when a connection is initiated.
unix password sync = yes Synchronize the UNIX password with the SMB password?
usershare allow guests = yes Allow non-authenticated users to access defined shared?
map to guest = bad user What to do when a user login request doesn't match a valid UNIX user?
browseable = yes Should this share be shown in the list of available shares?
guest ok = yes Allow connecting to the service without using a password?
read only = yes Allow users to read files only?
create mask = 0700 What permissions need to be set for newly created files?

For pentesting notes on ports 137, 138, 139 and 445 with a smb service, see 137-138-139-445-smb.

smbclient connection

See 

# [-L|--list=HOST] : Selecting the targeted host for the connection request.
smbclient -L -N //$ip
# -N: Suppresses the password prompt.
# -L: retrieve a list of available shares on the remote host

Smbclient will attempt to connect to the remote host and check if there is any authentication required. If there is, it will ask you for a user and a password for your local username. If we do not specify a specific username to smbclient when attempting to connect to the remote host, it will just use your local machine's username.If vulnerable and performing a Null Attack, we will hit Enter when prompted for a password.

After authenticating, we may obtain access to some typical shared folders, such as:

ADMIN$ - Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled.

C$ - Administrative share for the C:\ disk volume. This is where the operating system is hosted.

IPC$ - The inter-process communication share. Used for inter-process communication via named pipes and is not part of the file system.
WorkShares - Custom share.

We will try to connect to each of the shares except for the IPC$ one, which is not valuable for us since it is not browsable as any regular directory would be and does not contain any files that we could use at this stage of our learning experience: 

# the use of / and \ might be different if you need to escape some characters
smbclient \\\\$ip\\ADMIN$

Important: Sometimes some jugling is needed:

smbclient -N -L \\$ip
smbclient -N -L \\\\$ip
smbclient -N -L /\/\$ip

If we have NT_STATUS_ACCESS_DENIED as output, we do not have the proper credentials to connect to this share.

Connect to a Shared folders as Administrator:

smbclient -L 10.129.228.98 -U Administrator

Also we can use rpcclient tool for connecting to the shared folders.

Basic commands in SMBclient

# Show available commands
help

# Download a file
get <file>

# See status
smbstatus

# Smbclient also allows us to execute local system commands using an exclamation mark at the beginning (`!<cmd>`) without interrupting the connection.
!cmd

!cat prep-prod.txt

Quick cheat sheet

# List shares on a machine using NULL Session
smbclient -L <target-IP>

# List shares on a machine using a valid username + password
smbclient -L \<target-IP\> -U username%password

# Connect to a valid share with username + password
smbclient //\<target\>/\<share$\> -U username%password

# List files on a specific share
smbclient //\<target\>/\<share$\> -c 'ls' password -U username

# List files on a specific share folder inside the share
smbclient //\<target\>/\<share$\> -c 'cd folder; ls' password -U username

# Download a file from a specific share folder
smbclient //\<target\>/\<share$\> -c 'cd folder;get desired_file_name' password -U username

# Copy a file to a specific share folder
smbclient //\<target\>/\<share$\> -c 'put /var/www/my_local_file.txt .\target_folder\target_file.txt' password -U username

# Create a folder in a specific share folder
smbclient //\<target\>/\<share$\> -c 'mkdir .\target_folder\new_folder' password -U username

# Rename a file in a specific share folder
smbclient //\<target\>/\<share$\> -c 'rename current_file.txt new_file.txt' password -U username
Last update: 2024-10-24
Created: June 27, 2023 18:57:41