--- obj: application repo: https://github.com/ShawnDEvans/smbmap source: https://www.kali.org/tools/smbmap --- # smbmap SMBMap allows users to enumerate [samba](../web/Samba.md) share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks. ## Usage Usage: `smbmap [options]...` ### Options #### Main arguments | Option | Description | | ------------------------ | --------------------------------------------------- | | `-H HOST` | IP of host | | `--host-file FILE` | File containing a list of hosts | | `-u USERNAME` | Username, if omitted null session assumed | | `-p PASSWORD` | Password or NTLM hash | | `--prompt` | Prompt for a password | | `-s SHARE` | Specify a share | | `-d DOMAIN` | Domain name (default WORKGROUP) | | `-P PORT` | SMB port (default 445) | | `-v` | Return the OS version of the remote host | | `--admin` | Just report if the user is an admin | | `--no-banner` | Removes the banner from the top of the output | | `--no-color` | Removes the color from output | | `--no-update` | Removes the "Working on it" message | | `--timeout SCAN_TIMEOUT` | Set port scan socket timeout. Default is .5 seconds | #### Command Execution Options for executing commands on the specified host | Option | Description | | ---------------- | ---------------------------------------------------------- | | `-x COMMAND` | Execute a command ex. `ipconfig /all` | | `--mode CMDMODE` | Set the execution method, `wmi` or `psexec`, default `wmi` | #### Shard drive Search Options for searching/enumerating the share of the specified host(s) | Option | Description | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | | `-L` | List all drives on the specified host, requires ADMIN rights. | | `-r [PATH]` | Recursively list dirs and files (no share\path lists the root of ALL shares), ex. 'email/backup' | | `-A PATTERN` | Define a file name pattern ([regex](../../tools/Regex.md)) that auto downloads a file on a match (requires `-r`), not case sensitive, | | `-g FILE` | Output to a file in a grep friendly format, used with `-r` (otherwise it outputs nothing) | | `--csv FILE` | Output to a [CSV](../../files/CSV.md) file | | `--dir-only` | List only directories, ommit files. | | `--no-write-check` | Skip check to see if drive grants WRITE access. | | `-q` | Quiet verbose output. Only shows shares you have READ or WRITE on, and suppresses file listing when performing a search. | | `--depth DEPTH` | Traverse a directory tree to a specific depth. (Default: 5) | | `--exclude SHARE [SHARE ...]` | Exclude share(s) from searching and listing | #### File Content Search Options for searching the content of files (must run as root), kind of experimental | Option | Description | | -------------------------- | ------------------------------------------------------------------------------------------------------------------ | | `-F PATTERN` | File content search, `-F '[Pp]assword'` (requires admin access to execute commands, and PowerShell on victim host) | | `--search-path PATH` | Specify drive/path to search | | `--search-timeout TIMEOUT` | Specifcy a timeout (in seconds) before the file search job gets killed. Default is 300 seconds. | #### Filesystem interaction Options for interacting with the specified host's filesystem | Option | Description | | ----------------------- | -------------------------------------- | | `--download PATH` | Download a file from the remote system | | `--upload SRC DST` | Upload a file to the remote system | | `--delete PATH TO FILE` | Delete a remote file | | `--skip` | Skip delete file confirmation prompt |