SMBCLIENT

INSTALLATION

root@oco:~$ sudo apt install smbclient

LISTING SHARES: PASSWORD MISCONFIGURATION

#test whether the server have password misconfiguration
root@oco:~$ smbclient -h
root@oco:~$ smbclient -L {\\\\targetIP} -U {userName}

 * the -L flag is used to list available server shares on the target.
 * the -U flag is used to specify the Login identity to use.
    - misconfigured smb servers typically have administrator as the username
      with an unset password

LISTING SHARES: W/O PASSWORD


root@oco:~$ smbclient -h
root@oco:~$ smbclient -N -L \\\\10.129.42.253
 Sharename       Type      Comment
 --------       ----      -------
 print$          Disk      Printer Drivers
 users           Disk      
 IPC$            IPC       IPC Service (gs-svcscan server (Samba, Ubuntu))

 SMB1 disabled -- no workgroup available
 
 * the -N (null session) is used for anonymous access 
    - it suppresses the input of existing users or valid passwords - password prompt
    - the -N MUST come before the -L
 * the -L is used to list available shares on the target
    - do not use the -L when connecting to SMB; it is only for listing shares
 * the print$ and an IPC$ are included by default in the basic setting (if configured)

ACCESSING SHARES: W/ FULL CREDENTIALS

root@oco:~$ smbclient \\\\10.129.150.91\\users -U bob%Welcome1

 * MUST list shares first prior to connecting with credentials
    - the use of back slashes can be used as well
       - //10.129.150.91//users

 Enter WORKGROUP\<username>'s password: 
 Anonymous login successful
 Try "help" to get a list of possible commands.

CONNECTION: W/ PASSWORD

root@oco:~$ smbclient //10.129.150.91/users -U bob%Welcome1
 Try "help" to get a list of possible commands.

 * MUST list shares first prior to connecting with credentials
    - smbclient needs a share path, like //IP/SHARE.
       - Without a share, it doesn't know what to connect to.

 * can use backslash instead of forward slashes
    - \\\\10.129.150.91\\users -U bob%Welcome1

smb: \> ls
 .                                   D        0  Thu Feb 25 16:42:23 2021
 ..                                  D        0  Thu Feb 25 15:05:31 2021
 bob                                 D        0  Thu Feb 25 16:42:23 2021

	4062912 blocks of size 1024. 1332480 blocks available
		
smb: \> cd bob

smb: \bob\> ls
 .                                   D        0  Thu Feb 25 16:42:23 2021
 ..                                  D        0  Thu Feb 25 16:42:23 2021
 passwords.txt                       N      156  Thu Feb 25 16:42:23 2021

	4062912 blocks of size 1024. 1332480 blocks available
		
smb: \bob\> get passwords.txt 
 getting file \bob\passwords.txt of size 156 as passwords.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

smb: \> exit

root@oco:~$ cat passwords.txt
 ...

CONNECTION: W/ PASSWORD - WARNING

If you get the error "Unable to connect with SMB1..." then simply remove the -L from the command. smbclient -L tries to list workgroups that requires SMB1. Modern Windows systems disable SMB1, so the fallback fails

root@htb:~$ smbclient -L //10.129.202.41/ -U alex
 Password for [WORKGROUP\alex]:

 	 Sharename       Type      Comment
	 ---------       ----      -------
	 ADMIN$          Disk      Remote Admin
	 C$              Disk      Default share
	 devshare        Disk      
	 IPC$            IPC       Remote IPC
	 Users           Disk      
 Reconnecting with SMB1 for workgroup listing.
 do_connect: Connection to 10.129.202.41 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
 Unable to connect with SMB1 -- no workgroup available

root@htb:~$ smbclient //10.129.202.41/users -U alex
root@htb:~$ smbclient //10.129.180.37/devshare -U alex
 Password for [WORKGROUP\alex]:
 Try "help" to get a list of possible commands.
 smb: \> ls
   .                                   D        0  Sun Dec 14 20:13:58 2025
   ..                                  D        0  Sun Dec 14 20:13:58 2025
   important.txt                       A       16  Wed Nov 10 10:12:55 2021

 		6367231 blocks of size 4096. 2592726 blocks available
smb: \> get important.txt
 getting file \important.txt of size 16 as important.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit
root@htb:~$ cat important.txt 
 sa:87N1ns@slls83

CONNECTION W/O PASSWORD

root@oco:~$ smbclient //10.129.202.5/sambashare
 Password for [WORKGROUP\htb-ac-53539]:
 Try "help" to get a list of possible commands.

smb: \> 

 * after listing share, test whether connection to the share is possible
    - this is only possible if anonymous login is enabled or if there's a misconfiguration

DOWNLOADING FILES

The smbclient allows for the execution of local system commands (non-target side)

smb: \> get prep-prod.txt 
 getting file \prep-prod.txt of size 71 as prep-prod.txt (8,7 KiloBytes/sec) 
 (average 8,7 KiloBytes/sec)

smb: \> !ls
 prep-prod.txt

smb: \> !cat prep-prod.txt
 [] check your code with the templates
 [] run code-assessment.py
 [] …	
 
 * the "!" followed by a cmd can be used to execute local system commands (non-target side)
    - this will not interrupt the connection.

EXECUTING LOCAL SYSTEM CMDS

The !<cmd> in smbclient will run a command in the local shell without leaving the smbclient interactive prompt. This executes on the system, not on the SMB server connected to. This is useful as it saves time when you want to manipulate local files (e.g., listing directories, moving files) while still staying inside the smbclient session.

//list local files while connected to the target
smb: \> !ls
 notes.txt  exploit.c  loot/

PreviousSMB NextSMBMAP

Last updated 1 day ago