# SMB

## SMBClient

* Use `smbclient` to list the share
```sh
smbclient -L //$TARGET_IP/
```
* The protocol might be dated, try
```sh
smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'
```

# smbmap

* [Repo](https://github.com/ShawnDEvans/smbmap.git)
* `python3 -m pip install -r requirements.txt`

# Usage
* `-x` execute command on server
* `-s` enumerate share

```sh
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
```

## Enumerate Domain Users

List users of the domain through leaked credentials of an SMB user
```sh
crackmapexec smb example.com -u lowperm_user -p 'securepassword!' --users
```

Continue trying the found password on the users discovered in the step before
```sh
crackmapexec smb example.com -u domain_users.txt -p 'securepassword!' --continue-on-success
```

## Enumerate Writeable SMB shares

List writeable SMB shares for found domain users via impacket's psexec
```sh
psexec.py example.com/domain.user@example.com
```