smbclient : Backtrack 5: Non Menu Items: CLI Commands: smbclient

The smbclient command line application included in Backtrack Linux is a staple for pentesting. I would imagine anyone that has done a pentest has used it to quickly verify SMB (Server Message Block) or CIFS (Common Internet File System) shares. The smbclient manpage describes it as a FTP-like client to access SMB/CIFS resources on servers. Below we describe varios smbclient commands in details to provide a basic understanding of its capabilities and what output will look like when using this tool in Backtrack Linux.

The current smbclient version installed on Backtrack version 5 release 3 is smbclient version 3.4.7. The smbclient application is located in the /usr/bin directory. The below smbclient examples show some of the many uses of smbclient including remote SMB/CIFS share information, interaction with SMB/CIFS shares via login to remote server, and file transfers using SMB/CIFS shares.

[expand title=”smbclient Help Menu”]
root@bt:~# smbclient –help
Usage: smbclient service -R, –name-resolve=NAME-RESOLVE-ORDER Use these name resolution services only
-M, –message=HOST Send message
-I, –ip-address=IP Use this IP to connect to
-E, –stderr Write messages to stderr instead of stdout
-L, –list=HOST Get a list of shares available on a host
-t, –terminal=CODE Terminal I/O code {sjis|euc|jis7|jis8|junet|hex}
-m, –max-protocol=LEVEL Set the max protocol level
-T, –tar=<c|x>IXFqgbNan Command line tar
-D, –directory=DIR Start from directory
-c, –command=STRING Execute semicolon separated commands
-b, –send-buffer=BYTES Changes the transmit/send buffer
-p, –port=PORT Port to connect to
-g, –grepable Produce grepable output
-B, –browse Browse SMB servers using DNS

Help options:
-?, –help Show this help message
–usage Display brief usage message

Common samba options:
-d, –debuglevel=DEBUGLEVEL Set debug level
-s, –configfile=CONFIGFILE Use alternate configuration file
-l, –log-basename=LOGFILEBASE Base name for log files
-V, –version Print version

Connection options:
-O, –socket-options=SOCKETOPTIONS socket options to use
-n, –netbiosname=NETBIOSNAME Primary netbios name
-W, –workgroup=WORKGROUP Set the workgroup name
-i, –scope=SCOPE Use this Netbios scope

Authentication options:
-U, –user=USERNAME Set the network username
-N, –no-pass Don’t ask for a password
-k, –kerberos Use kerberos (active directory) authentication
-A, –authentication-file=FILE Get the credentials from a file
-S, –signing=on|off|required Set the client signing state
-P, –machine-pass Use stored machine account password
-e, –encrypt Encrypt SMB transport (UNIX extended servers only)
root@bt:~#
[/expand]

smbclient Usage Menu:

root@bt:~# smbclient --usage
Usage: smbclient [-?EgBVNkPe] [-?|--help] [--usage] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-M|--message=HOST] [-I|--ip-address=IP]
[-E|--stderr] [-L|--list=HOST] [-t|--terminal=CODE] [-m|--max-protocol=LEVEL] [-T|--tar=<c|x>IXFqgbNan] [-D|--directory=DIR]
[-c|--command=STRING] [-b|--send-buffer=BYTES] [-p|--port=PORT] [-g|--grepable] [-B|--browse] [-d|--debuglevel=DEBUGLEVEL]
[-s|--configfile=CONFIGFILE] [-l|--log-basename=LOGFILEBASE] [-V|--version] [-O|--socket-options=SOCKETOPTIONS]
[-n|--netbiosname=NETBIOSNAME] [-W|--workgroup=WORKGROUP] [-i|--scope=SCOPE] [-U|--user=USERNAME] [-N|--no-pass] [-k|--kerberos]
[-A|--authentication-file=FILE] [-S|--signing=on|off|required] [-P|--machine-pass] [-e|--encrypt] service <password>
root@bt:~#

It should be noted that all SMB/CIFS traffic is plain text and could easily be viewed via any form of network packet monitoring unless specifically specified with the smbclient -e switch. It is likely that you would only find encryption support on Linux servers with SMB file shares.

The first couple of examples below show smbclient being used to query remote servers to enumerate details of SMB/CIFS shares. Note the –no-pass switch that can be used to query remote servers to see if SMB/CIFS shares are open to the world. The second example below queries a server with file shares that require a password so the first query to that device returns no available shares but the third example authenticates using a known username and password which then returns available SMB/CIFS network shares on the Windows 7 server.

smbclient: List Remote SMB/CIFS Shares That Do Not Require A Password

root@bt:~# smbclient -L /server1/Users -I 192.168.1.245 --no-pass
Domain=[SERVER1] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
D$ Disk Default share
DATA Disk
Drivers Disk
HP Photosmart C5100 series Printer HP Photosmart C5100 series
IPC$ IPC Remote IPC
movies Disk
print$ Disk Printer Drivers
Public Disk
Users Disk
Domain=[SERVER1] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
root@bt:~#

smbclient: Attempt To List Unprotected SMB/CIFS Shares Without Success

root@bt:~# smbclient -L 192.168.1.75 --no-pass -p 445
Anonymous login successful
Domain=[CORP] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
session request to 192.168.1.75 failed (Called name not present)
session request to 192 failed (Called name not present)
session request to *SMBSERVER failed (Called name not present)
NetBIOS over TCP disabled -- no workgroup available
root@bt:~#

The request above was unsuccessful because the file shares on 192.168.1.75 require authentication to query information or connection as shown in the below example output where a username and password are used to display the available file shares on the Windows 7 server.

smbclient: List Protected SMB/CIFS Shares By Authenticating With A User/Pass

root@bt:~# smbclient -L 192.168.1.75 -U alex -p 445
Enter alex's password:
Domain=[SERVER2] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
downloads Disk
IPC$ IPC Remote IPC
Q$ Disk Default share
Users Disk
session request to 192.168.1.75 failed (Called name not present)
session request to 192 failed (Called name not present)
session request to *SMBSERVER failed (Called name not present)
NetBIOS over TCP disabled -- no workgroup available
root@bt:~#

Those are the primary informational smbclient queries but that is only the tip of the iceberg in terms of smbclient capabilities. Next we show a couple examples of making connections to remote servers using smbclient and then interacting with the remote server either by file manipulation, information gathering, or transferring data to/from the server. The below output captures an entire session of a connection to a remote server using smbclient and numerous tasks such as listing files on the server, gathering information from the server, and transferring data to and from the server.

smbclient: SMB Command Prompt Capabilities

root@bt:~# smbclient //192.168.1.75/downloads -U alex -p 445
Enter alex's password:
Domain=[SERVER2] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
smb: \>
smb: \> ?
? allinfo altname archive blocksize
cancel case_sensitive cd chmod chown
close del dir du echo
exit get getfacl hardlink help
history iosize lcd link lock
lowercase ls l mask md
mget mkdir more mput newer
open posix posix_encrypt posix_open posix_mkdir
posix_rmdir posix_unlink print prompt put
pwd q queue quit rd
recurse reget rename reput rm
rmdir showacls setmode stat symlink
tar tarmode translate unlock volume
vuid wdel logon listconnect showconnect
.. !
smb: \>
smb: \> ? lock
HELP lock:
lock <fnum> [r|w] <hex-start> <hex-len> : set a POSIX lock
smb: \>
smb: \> listconnect
0: server=192.168.1.75, share=downloads
smb: \>
smb: \> showconnect
//192.168.1.75/downloads
smb: \>
smb: \> altname mseinstall.exe
MSEINS~1.EXE
smb: \>
smb: \> allinfo Console-2
altname: CONSOL~1
create_time: Wed 09 May 2012 06:53:45 PM EDT EDT
access_time: Wed 09 May 2012 06:53:45 PM EDT EDT
write_time: Wed 09 May 2012 06:53:45 PM EDT EDT
change_time: Wed 09 May 2012 06:53:45 PM EDT EDT
NT_STATUS_OK getting streams for \Console-2
smb: \>
smb: \> du DynUpSetup.exe
59609 blocks of size 33554432. 53257 blocks available
Total number of bytes: 897520
smb: \>
smb: \> mkdir SMBCLIENTTESTDIR
smb: \>
smb: \> dir SMBC*
SMBCLIENTTESTDIR D 0 Thu Dec 07 21:36:19 2012
59609 blocks of size 33554432. 53257 blocks available
smb: \>
smb: \> cd SMBCLIENTTESTDIR
smb: \SMBCLIENTTESTDIR\> dir
. D 0 Thu Dec 27 21:36:19 2012
.. D 0 Thu Dec 27 21:36:19 2012
59609 blocks of size 33554432. 53257 blocks available
smb: \SMBCLIENTTESTDIR\> put desktop.ini
putting file desktop.ini as \SMBCLIENTTESTDIR\desktop.ini (85.0 kb/s) (average 85.0 kb/s)
smb: \SMBCLIENTTESTDIR\> dir
. D 0 Thu Dec 07 21:37:29 2012
.. D 0 Thu Dec 07 21:37:29 2012
desktop.ini A 174 Thu Dec 07 21:37:29 2012
59609 blocks of size 33554432. 53257 blocks available
smb: \SMBCLIENTTESTDIR\> rm desktop.ini
smb: \SMBCLIENTTESTDIR\> dir
. D 0 Thu Dec 07 21:37:40 2012
.. D 0 Thu Dec 07 21:37:40 2012
59609 blocks of size 33554432. 53257 blocks available
smb: \SMBCLIENTTESTDIR\> cd ../
smb: \> rmdir SMBCLIENTTESTDIR
smb: \> dir SMBC*
NT_STATUS_NO_SUCH_FILE listing \SMBC*
59609 blocks of size 33554432. 53257 blocks available
smb: \>

A brief summary of the above interaction with the remote Windows 7 server using the smb command line is detailed in the list below including the command issued and a very brief explanation of what it does.

? – lists the smb prompt help menu
? lock – question mark <command> provides details about any of the available commands within the smb command line
listconnect – will provide a list of open connections to the server
showconnect – provides details about your connection to the server
altname mseinstall.exe – provides the alternative name to a filename if an alternative name exists which it does in the case of the mseinstall.exe file
allinfo Console-2 – provides all available details about a file which in this case is the Console-2 file
du DynSetup.exe – provides file size information and total directory size information in this case DynSetup.exe represents 59609 blocks of the 33554432 blocks in the directory
mkdir SMBCLIENTTESTDIR – create a directory by the name of SMBCLIENTTESTDIR
dir SMBC* – the dir command will list all contents in the current directory unless string is passed then it will list files named by the string or if the * is used its a wildcard
cd SMBCLIENTTESTDIR – change directory into the previously created directory
dir – show that the newly created directory is empty by listing its contents
put desktop.ini – upload a file located in the directory from which the initial smbclient command was issued which in this case uploads desktop.ini
dir – list directory contents which in this case shows the newly uploaded desktop.ini
rm desktop.ini – remove a file so in this case we are deleting the file we just uploaded, wanted to show how easy it is for remote file manipulation
cd ../ – change directory up one level to the initial directory
rmdir SMBCLIENTTESTDIR – remove a directory which in this case is the SMBCLIENTTESTDIR we initially created, again easily manipulating the remote file system
dir SMBC* – confirming there are no files or directories that start with SMBC left in the current directory

The above commands issued summary is only a portion of the available commands but demonstrates fairly well how powerful smbclient can be especially when encountering unprotected SMB/CIFS file shares. An attacker could literally wreck a server via SMB if it is not configured properly. Now in the last set of examples we show how you can transfer files to and from a server using smbclient. Both of the below examples are perfect for scripting so if you wanted to create a loop to try to post a file to every server in a /24 network or something.

smbclient: Download File From Password Protected CIFS File Share

root@bt:~/downloads# smbclient //server2/downloads -U alex -I 192.168.1.75 -c "get hash-generator.pl"
Enter alex's password:
Domain=[SERVER2] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
getting file \hash-generator.pl of size 10502 as hash-generator.pl (5127.7 KiloBytes/sec) (average 5127.9 KiloBytes/sec)
root@bt:~/downloads#

smbclient: Upload File To Unprotected CIFS File Share

root@bt:~/downloads# smbclient //server1/Public --no-pass -I 192.168.1.245 -c "put evil-script.exe"
Domain=[SERVER1] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
putting file evil-script.exe as \evil-script.exe (16.8 kb/s) (average 16.8 kb/s)
root@bt:~/downloads#

You should now have a good overview of the smbclient command line application capabilities but don’t forget to run “man smbclient” to obtain even more details about each of the available switches available to smbclient on Backtrack Linux. If anyone has any other useful smbclient commands please list them in the comments below because I feel like I am always finding out something else that smbclient is useful for!