# SMB

Start your enumeration with [enum4linux](https://github.com/CiscoCXSecurity/enum4linux.git) or alternative tools to get possible usernames and groups.

## SMBClient

* Use `smbclient` to list the share
```sh
smbclient -L //$TARGET_IP/
```
* The protocol might be dated, try
```sh
smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'
```

# smbmap

* [Repo](https://github.com/ShawnDEvans/smbmap.git)
* `python3 -m pip install -r requirements.txt`

# Usage
* `-x` execute command on server
* `-s` enumerate share

```sh
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
```

## Enumerate Domain Users

List users of the domain through leaked credentials of an SMB user

```sh
crackmapexec smb example.com -u lowperm_user -p 'securepassword!' --users
```

Continue trying the found password on the users discovered in the step before

```sh
crackmapexec smb example.com -u domain_users.txt -p 'securepassword!' --continue-on-success
```

## Enumerate Writeable SMB shares

List writeable SMB shares for found domain users via impacket's psexec

```sh
psexec.py example.com/domain.user@example.com
```

## Download Directories

Single files can be downloaded by any client like smbclient via `get`.
Directories can be downloaded via 

```sh
smbget -R smb://$TARGET_IP/directory
```