# smbmap SMBMap is a tool for enumerating SMB shares and permissions on Windows networks. It's particularly useful during penetration tests for identifying accessible shares, searching for sensitive files, and testing credential access across multiple hosts. ## Basic Enumeration Enumerate for read access to network shares: `python3 ./smbmap.py -u -p -d burmat.local --host-file /root/scans/smbhosts.txt --no-write-check -r --csv /root/recon/shares.csv` ## Common Usage Scenarios ### Null Session Enumeration Test for anonymous/null session access: ```bash smbmap -H 10.10.10.123 smbmap -H 10.10.10.123 -u '' -p '' ``` ### Authenticated Enumeration With valid credentials: ```bash smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local ``` ### Recursive Share Enumeration Recursively list all directories and files: ```bash smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local -R smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local -R 'C$' ``` ### Search for Sensitive Files Search for files matching specific patterns: {% code overflow="wrap" %} ```bash # Search for common sensitive files smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local -R --pattern '*.txt|*.xml|*.ini|*.conf' # Search for passwords smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local -R --pattern 'pass*' # Search for SSH keys smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local -R --pattern 'id_rsa*' # Search for database files smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local -R --pattern '*.sql|*.db|*.mdb' ``` {% endcode %} ### Download Files Download specific files from shares: ```bash # Download a specific file smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local --download 'C$\temp\passwords.txt' # Download all files matching pattern smbmap -H 10.10.10.123 -u jsmith -p 'Password123' -d burmat.local -R --download-pattern '*.config' ``` ### Execute Commands Execute commands on remote systems (requires admin privileges): ```bash smbmap -H 10.10.10.123 -u administrator -p 'AdminPass123' -d burmat.local -x 'whoami' smbmap -H 10.10.10.123 -u administrator -p 'AdminPass123' -d burmat.local -x 'ipconfig /all' ``` ### Mass Enumeration Enumerate multiple hosts from a file: ```bash smbmap -u jsmith -p 'Password123' -d burmat.local --host-file targets.txt ``` ### Pass-the-Hash Use NTLM hash instead of password: ```bash smbmap -H 10.10.10.123 -u administrator -d burmat.local --hash 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://burmat.gitbook.io/security/hacking/tools-and-services/smbmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.