.TH SMBMAP "1" "August 2018" "smbmap 1.0.5" "User Commands" .SH NAME smbmap \- SMB enumeration tool .SH SYNOPSIS \fBsmbmap \fI[options]\fR .IP .SH DESCRIPTION SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks. .SH OPTIONS .SS "Main arguments:" .TP \fB\-H\fR HOST IP of host .TP \fB\-\-host\-file\fR FILE File containing a list of hosts .TP \fB\-u\fR USERNAME Username, if omitted null session assumed .TP \fB\-p\fR PASSWORD Password or NTLM hash .TP \fB\-s\fR SHARE Specify a share (default C$), ex 'C$' .TP \fB\-d\fR DOMAIN Domain name (default WORKGROUP) .TP \fB\-P\fR PORT SMB port (default 445) .SS "Command Execution:" .IP Options for executing commands on the specified host .TP \fB\-x\fR COMMAND Execute a command ex. 'ipconfig /all' .SS "Filesystem Search:" .IP Options for searching/enumerating the filesystem of the specified host .TP \fB\-L\fR List all drives on the specified host .TP \fB\-R\fR [PATH] Recursively list dirs, and files (no share\epath lists ALL shares), ex. 'C$\eFinance' .TP \fB\-r\fR [PATH] List contents of directory, default is to list root of all shares, ex. \fB\-r\fR 'C$\eDocuments and Settings\eAdministrator\eDocuments' .TP \fB\-A\fR PATTERN Define a file name pattern (regex) that auto downloads a file on a match (requires \fB\-R\fR or \fB\-r\fR), not case sensitive, ex '(web|global).(asax|config)' .TP \fB\-q\fR Disable verbose output. Only shows shares you have READ/WRITE on, and suppresses file listing when performing a search (\fB\-A\fR). .TP \fB\-\-depth\fR DEPTH Traverse a directory tree to a specific depth .SS "File Content Search:" .IP Options for searching the content of files .TP \fB\-F\fR PATTERN File content search, \fB\-F\fR '[Pp]assword' (requries admin access to execute commands, and powershell on victim host) .TP \fB\-\-search\-path\fR PATH Specify drive/path to search (used with \fB\-F\fR, default C:\eUsers), ex 'D:\eHR\e' .SS "Filesystem interaction:" .IP Options for interacting with the specified host's filesystem .TP \fB\-\-download\fR PATH Download a file from the remote system, ex.'C$\etemp\epasswords.txt' .TP \fB\-\-upload\fR SRC DST Upload a file to the remote system ex. \&'/tmp/payload.exe C$\etemp\epayload.exe' .TP \fB\-\-delete\fR PATH TO FILE Delete a remote file, ex. 'C$\etemp\emsf.exe' .TP \fB\-\-skip\fR Skip delete file confirmation prompt .SS "Optional arguments:" .TP \fB\-h\fR, \fB\-\-help\fR show help message and exit .SH EXAMPLES smbmap \-u jsmith \-p password1 \-d workgroup \-H 192.168.0.1 .br smbmap \-u jsmith \-p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' \-H 172.16.0.20 .br smbmap \-u 'apadmin' \-p 'asdf1234!' \-d ACME \-H 10.1.3.30 \-x 'net group "Domain Admins" /domain' .SH AUTHOR smbmap was developed by ShawnDEvans .PP This manual page was written by Samuel Henrique for the Debian project, it was based on \fBsmbmap -h\fR output and can be used by other projects as well.