Skip to content

smb shareenum command

Jump to bottom
skelsec edited this page Apr 13, 2021 · 3 revisions

What it does

Enumerates shares, folders, files on the target(s) over SMB. When specified it can pull the list of target hosts via LDAP.

Remarks

This is extremely loud. Like... SIEMS melting down loud.
Be careful what you ask for. You usually don't want to enumerate every single file/folder on the target machine with security descriptors. While the tool will do what you ask of it please note that you can't know up front what you will find on the targets.
Also if you mess up the connection URL you will get your account locked out.

Requirements

  • A working SMB connection URL

Subcommands

None

Switches

  • url: SMB connection URL. Please consult the Connection URL section
  • --json : Output results in JSON format. One json entry per line. The whole file is not following the JSOn specs (so you can stop the enum and still have data)
  • --tsv : Output results in TSV format.
  • -t or --target: List of targets. This can be a file or a single IP or an IPnetwork or a hostname. Or multiple of them :) If not specified then the only target enumerated will be the one specified in the URL
  • -l or --ldap : LDAP connection string. If specified targets will be fetched via LDAP
  • -w or --worker-count: The amount of parallel workers performing the enum. Regardless of the amount, only one worker will be used per host to avoid machines melting
  • --depth: The maximum level of the directory tree to perform the enum in. Default: 3
  • --maxitems: The maximum amount of files/folders to enumerate in one folder. Default: unlimited
  • --dirsd: Enumerate the security descriptors for folders. Default: No.
  • --filesd: Enumerate the security descriptors for files. Default: No.
  • --progress: Show progress bar. Use this combined with -o
  • -o or --outfile : Writes the secrets to the specified file
  • --max-runtime: Maximum runtime per host (in seconds)
  • --es or --exclude-share: Do not enumerate the shares with this name
  • --ed or --exclude-dir: Do not enumerate the directories with this name
  • --ef or --exclude-file: Do not enumerate the files with this name
  • -v: Verbosity

Examples

  • pypykatz smb shareenum 'smb2+ntlm-password://TEST\victim:Passw0rd!1@10.10.10.2' : Enumerates all shares/folders/files on host 10.10.10.2 with the maximum depth of 3. Prints results to the command line.

Home

Live commands

Platform-independent commands

ConnectionURL

Clone this wiki locally