oracular (1) smbmap.1.gz

Provided by: smbmap_1.10.4-1_all bug

NAME
       smbmap - SMB enumeration tool


SYNOPSIS
       smbmap [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD |--prompt] [-s SHARE] [-d DOMAIN] [-P
       PORT] [-v] [--admin] [--no-banner] [--no-color] [--no-update]  [-x  COMMAND][--mode  CMDMODE]  [-L  |  -r
       [PATH]]  [-g  FILE  |  --csv  FILE]  [--dir-only][--no-write-check] [-q] [--depth DEPTH] [--exclude SHARE
       [SHARE ...]] [-A PATTERN] [-F PATTERN] [--search-path PATH] [--search-timeout TIMEOUT] [--download  PATH]
       [--upload SRC DST] [--delete PATH TO FILE] [--skip]


DESCRIPTION
       SMBMap  allows  users  to  enumerate samba share drives across an entire domain. List share drives, drive
       permissions, share contents, upload/download functionality, file name auto-download pattern matching, and
       even  execute  remote  commands.  This  tool  was  designed  with pen testing in mind, and is intended to
       simplify searching for potentially sensitive data across large networks.


OPTIONS
   Main arguments:
       -H HOST
              IP or FQDN

       --host-file FILE
              File containing a list of hosts

       -u USERNAME, --username USERNAME
              Username, if omitted null session assumed

       -p PASSWORD, --password PASSWORD
              Password or NTLM hash, format is LMHASH:NTHASH

       --prompt
              Prompt for a password

       -s SHARE
              Specify a share (default C$), ex 'C$'

       -d DOMAIN
              Domain name (default WORKGROUP)

       -P PORT
              SMB port (default 445)

       -v, --version
              Return the OS version of the remote host

       --signing
              Check if host has SMB signing disabled, enabled, or required

       --admin
              Just report if the user is an admin

       --no-banner
              Removes the banner from the top of the output

       --no-color
              Removes the color from output

       --no-update
              Removes the "Working on it" message

       --timeout SCAN_TIMEOUT
              Set port scan socket timeout. Default is .5 seconds

   Kerberos settings:
       -k, --kerberos
              Use Kerberos authentication

       --no-pass
              Use CCache file (export KRB5CCNAME='~/current.ccache')

       --dc-ip IP or Host
              IP or FQDN of DC

   Command Execution:
              Options for executing commands on the specified host

       -x COMMAND
              Execute a command ex. 'ipconfig /all'

       --mode CMDMODE
              Set the execution method, wmi or psexec, default wmi

   Shard drive Search:
              Options for searching/enumerating the filesystem of the specified host

       -L     List all drives on the specified host, requires ADMIN rights.

       -r [PATH]
              Recursively          list          dirs          and          files          (no          shareath
              lists the root of ALL shares), ex. 'email/backup'

       -g FILE
              Output  to  a  file  in a grep friendly format, used with -r (otherwise it outputs nothing), ex -g
              grep_out.txt

       --csv FILE
              Output to a CSV file, ex --csv shares.csv

       --dir-only
              List only directories, omit files

       --no-write-check
              Skip check to see if drive grants WRITE access

       -q     Quiet verbose output. Only shows shares you have READ or WRITE on,  and  suppresses  file  listing
              when performing a search (-A).

       --depth DEPTH
              Traverse a directory tree to a specific depth. Default is 1 (root node).

       --exclude SHARE [SHARE ...]
              Exclude share(s) from searching and listing, ex. --exclude ADMIN$ C$'

       -A PATTERN
              Define  a  file name pattern (regex) that auto downloads a file on a match (requires -r), not case
              sensitive, ex '(web|global).(asax|config)'

   File Content Search:
              Options for searching the content of files (must run as root), kind of experimental

       -F PATTERN
              File content search, -F '[Pp]assword' (requries admin access to execute commands,  and  powershell
              on victim host)

       --search-path PATH
              Specify drive/path to search (used with -F, default C:\Users), ex 'D:\HR\'

       --search-timeout TIMEOUT
              Specifcy a timeout (in seconds) before the file search job gets killed. Default is 300 seconds

   Filesystem interaction:
              Options for interacting with the specified host's filesystem

       --download PATH
              Download a file from the remote system, ex.'C$\temp\passwords.txt'

       --upload SRC DST
              Upload a file to the remote system ex.  '/tmp/payload.exe C$\temp\payload.exe'

       --delete PATH_TO_FILE
              Delete a remote file, ex. 'C$\temp\msf.exe'

       --skip Skip delete file confirmation prompt


EXAMPLES:
       smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
       smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
       smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'


AUTHOR
       smbmap was developed by ShawnDEvans <ShawnDEvans@gmail.com>

       This  manual  page  was  written by Samuel Henrique <samueloph@debian.org> for the Debian project, it was
       based on smbmap -h output and can be used by other projects as well.