smbclient Cheat Sheet
SMB/CIFS client for share enumeration, file access, and null-session testing on authorized Windows hosts.
Overview
smbclient connects to Windows/Samba shares for listing, upload/download, and authenticated access during authorized AD and Windows assessments.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y smbclientEssential commands
List shares (null session if allowed)
smbclient -L //target.example -NConnect to share
smbclient //target.example/SHARE -U 'DOMAIN\user%password'Common workflows
Enumerate shares and access —
smbclient -L //10.10.10.5 -Nsmbclient -L //10.10.10.5 -U 'guest'smbclient //10.10.10.5/C$ -U 'administrator%Password123'Interactive session commands —
smb: \> lssmb: \> cd Documentssmb: \> get secrets.txtsmb: \> put shell.exesmb: \> recurse ONsmb: \> mget *.txtsmb: \> exitOne-shot command —
smbclient //10.10.10.5/IPC$ -U 'user%pass' -c 'help'echo "ls" | smbclient //10.10.10.5/Data -U 'user%pass'SMB1 / signing options —
smbclient //10.10.10.5/SHARE -U 'user%pass' --option='client min protocol=NT1'smbclient //10.10.10.5/SHARE -U 'user%pass' -m SMB3Pass-the-hash (impacket often preferred) —
smbclient //10.10.10.5/C$ -U 'administrator' --pw-nt-hash NTHASHFlags reference
-L | List shares |
|---|---|
-N | No password (null session) |
-U USER%PASS | Credentials |
-W DOMAIN | Workgroup/domain |
-c CMD | Execute command(s) |
-m PROTO | Max protocol (SMB2, SMB3) |
-p PORT | Port (445 default) |
--pw-nt-hash | NTLM hash instead of password |
-d DEBUG | Debug level |
Tips
- Pair with enum4linux-ng, crackmapexec smb, or netexec smb for broader enumeration.
- IPC$ often allows session setup even when data shares are restricted.
- Document share permissions; C$ / ADMIN$ imply high privilege.
- Modern networks may block SMB from internet—test from internal pivot host.