The smbclient command line application included in Backtrack Linux is a staple for pentesting. I would imagine anyone that has done a pentest has used it to quickly verify SMB (Server Message Block) or CIFS (Common Internet File System) shares. The smbclient manpage describes it as a FTP-like client to access SMB/CIFS resources on servers. Below we describe varios smbclient commands in details to provide a basic understanding of its capabilities and what output will look like when using this tool in Backtrack Linux.
The current smbclient version installed on Backtrack version 5 release 3 is smbclient version 3.4.7. The smbclient application is located in the /usr/bin directory. The below smbclient examples show some of the many uses of smbclient including remote SMB/CIFS share information, interaction with SMB/CIFS shares via login to remote server, and file transfers using SMB/CIFS shares.
[expand title=”smbclient Help Menu”]
root@bt:~# smbclient –help
Usage: smbclient service -R, –name-resolve=NAME-RESOLVE-ORDER Use these name resolution services only
-M, –message=HOST Send message
-I, –ip-address=IP Use this IP to connect to
-E, –stderr Write messages to stderr instead of stdout
-L, –list=HOST Get a list of shares available on a host
-t, –terminal=CODE Terminal I/O code {sjis|euc|jis7|jis8|junet|hex}
-m, –max-protocol=LEVEL Set the max protocol level
-T, –tar=<c|x>IXFqgbNan Command line tar
-D, –directory=DIR Start from directory
-c, –command=STRING Execute semicolon separated commands
-b, –send-buffer=BYTES Changes the transmit/send buffer
-p, –port=PORT Port to connect to
-g, –grepable Produce grepable output
-B, –browse Browse SMB servers using DNS
Help options:
-?, –help Show this help message
–usage Display brief usage message
Common samba options:
-d, –debuglevel=DEBUGLEVEL Set debug level
-s, –configfile=CONFIGFILE Use alternate configuration file
-l, –log-basename=LOGFILEBASE Base name for log files
-V, –version Print version
Connection options:
-O, –socket-options=SOCKETOPTIONS socket options to use
-n, –netbiosname=NETBIOSNAME Primary netbios name
-W, –workgroup=WORKGROUP Set the workgroup name
-i, –scope=SCOPE Use this Netbios scope
Authentication options:
-U, –user=USERNAME Set the network username
-N, –no-pass Don’t ask for a password
-k, –kerberos Use kerberos (active directory) authentication
-A, –authentication-file=FILE Get the credentials from a file
-S, –signing=on|off|required Set the client signing state
-P, –machine-pass Use stored machine account password
-e, –encrypt Encrypt SMB transport (UNIX extended servers only)
root@bt:~#
[/expand]
smbclient Usage Menu:
- root@bt:~# smbclient --usage
- Usage: smbclient [-?EgBVNkPe] [-?|--help] [--usage] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-M|--message=HOST] [-I|--ip-address=IP]
- [-E|--stderr] [-L|--list=HOST] [-t|--terminal=CODE] [-m|--max-protocol=LEVEL] [-T|--tar=<c|x>IXFqgbNan] [-D|--directory=DIR]
- [-c|--command=STRING] [-b|--send-buffer=BYTES] [-p|--port=PORT] [-g|--grepable] [-B|--browse] [-d|--debuglevel=DEBUGLEVEL]
- [-s|--configfile=CONFIGFILE] [-l|--log-basename=LOGFILEBASE] [-V|--version] [-O|--socket-options=SOCKETOPTIONS]
- [-n|--netbiosname=NETBIOSNAME] [-W|--workgroup=WORKGROUP] [-i|--scope=SCOPE] [-U|--user=USERNAME] [-N|--no-pass] [-k|--kerberos]
- [-A|--authentication-file=FILE] [-S|--signing=on|off|required] [-P|--machine-pass] [-e|--encrypt] service <password>
- root@bt:~#
It should be noted that all SMB/CIFS traffic is plain text and could easily be viewed via any form of network packet monitoring unless specifically specified with the smbclient -e switch. It is likely that you would only find encryption support on Linux servers with SMB file shares.
The first couple of examples below show smbclient being used to query remote servers to enumerate details of SMB/CIFS shares. Note the –no-pass switch that can be used to query remote servers to see if SMB/CIFS shares are open to the world. The second example below queries a server with file shares that require a password so the first query to that device returns no available shares but the third example authenticates using a known username and password which then returns available SMB/CIFS network shares on the Windows 7 server.
smbclient: List Remote SMB/CIFS Shares That Do Not Require A Password
- root@bt:~# smbclient -L /server1/Users -I 192.168.1.245 --no-pass
- Domain=[SERVER1] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
- Sharename Type Comment
- --------- ---- -------
- ADMIN$ Disk Remote Admin
- C$ Disk Default share
- D$ Disk Default share
- DATA Disk
- Drivers Disk
- HP Photosmart C5100 series Printer HP Photosmart C5100 series
- IPC$ IPC Remote IPC
- movies Disk
- print$ Disk Printer Drivers
- Public Disk
- Users Disk
- Domain=[SERVER1] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
- Server Comment
- --------- -------
- Workgroup Master
- --------- -------
- root@bt:~#
smbclient: Attempt To List Unprotected SMB/CIFS Shares Without Success
- root@bt:~# smbclient -L 192.168.1.75 --no-pass -p 445
- Anonymous login successful
- Domain=[CORP] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
- Sharename Type Comment
- --------- ---- -------
- Error returning browse list: NT_STATUS_ACCESS_DENIED
- session request to 192.168.1.75 failed (Called name not present)
- session request to 192 failed (Called name not present)
- session request to *SMBSERVER failed (Called name not present)
- NetBIOS over TCP disabled -- no workgroup available
- root@bt:~#
The request above was unsuccessful because the file shares on 192.168.1.75 require authentication to query information or connection as shown in the below example output where a username and password are used to display the available file shares on the Windows 7 server.
smbclient: List Protected SMB/CIFS Shares By Authenticating With A User/Pass
- root@bt:~# smbclient -L 192.168.1.75 -U alex -p 445
- Enter alex's password:
- Domain=[SERVER2] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
- Sharename Type Comment
- --------- ---- -------
- ADMIN$ Disk Remote Admin
- C$ Disk Default share
- downloads Disk
- IPC$ IPC Remote IPC
- Q$ Disk Default share
- Users Disk
- session request to 192.168.1.75 failed (Called name not present)
- session request to 192 failed (Called name not present)
- session request to *SMBSERVER failed (Called name not present)
- NetBIOS over TCP disabled -- no workgroup available
- root@bt:~#
Those are the primary informational smbclient queries but that is only the tip of the iceberg in terms of smbclient capabilities. Next we show a couple examples of making connections to remote servers using smbclient and then interacting with the remote server either by file manipulation, information gathering, or transferring data to/from the server. The below output captures an entire session of a connection to a remote server using smbclient and numerous tasks such as listing files on the server, gathering information from the server, and transferring data to and from the server.
smbclient: SMB Command Prompt Capabilities
- root@bt:~# smbclient //192.168.1.75/downloads -U alex -p 445
- Enter alex's password:
- Domain=[SERVER2] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
- smb: \>
- smb: \> ?
- ? allinfo altname archive blocksize
- cancel case_sensitive cd chmod chown
- close del dir du echo
- exit get getfacl hardlink help
- history iosize lcd link lock
- lowercase ls l mask md
- mget mkdir more mput newer
- open posix posix_encrypt posix_open posix_mkdir
- posix_rmdir posix_unlink print prompt put
- pwd q queue quit rd
- recurse reget rename reput rm
- rmdir showacls setmode stat symlink
- tar tarmode translate unlock volume
- vuid wdel logon listconnect showconnect
- .. !
- smb: \>
- smb: \> ? lock
- HELP lock:
- lock <fnum> [r|w] <hex-start> <hex-len> : set a POSIX lock
- smb: \>
- smb: \> listconnect
- 0: server=192.168.1.75, share=downloads
- smb: \>
- smb: \> showconnect
- //192.168.1.75/downloads
- smb: \>
- smb: \> altname mseinstall.exe
- MSEINS~1.EXE
- smb: \>
- smb: \> allinfo Console-2
- altname: CONSOL~1
- create_time: Wed 09 May 2012 06:53:45 PM EDT EDT
- access_time: Wed 09 May 2012 06:53:45 PM EDT EDT
- write_time: Wed 09 May 2012 06:53:45 PM EDT EDT
- change_time: Wed 09 May 2012 06:53:45 PM EDT EDT
- NT_STATUS_OK getting streams for \Console-2
- smb: \>
- smb: \> du DynUpSetup.exe
- 59609 blocks of size 33554432. 53257 blocks available
- Total number of bytes: 897520
- smb: \>
- smb: \> mkdir SMBCLIENTTESTDIR
- smb: \>
- smb: \> dir SMBC*
- SMBCLIENTTESTDIR D 0 Thu Dec 07 21:36:19 2012
- 59609 blocks of size 33554432. 53257 blocks available
- smb: \>
- smb: \> cd SMBCLIENTTESTDIR
- smb: \SMBCLIENTTESTDIR\> dir
- . D 0 Thu Dec 27 21:36:19 2012
- .. D 0 Thu Dec 27 21:36:19 2012
- 59609 blocks of size 33554432. 53257 blocks available
- smb: \SMBCLIENTTESTDIR\> put desktop.ini
- putting file desktop.ini as \SMBCLIENTTESTDIR\desktop.ini (85.0 kb/s) (average 85.0 kb/s)
- smb: \SMBCLIENTTESTDIR\> dir
- . D 0 Thu Dec 07 21:37:29 2012
- .. D 0 Thu Dec 07 21:37:29 2012
- desktop.ini A 174 Thu Dec 07 21:37:29 2012
- 59609 blocks of size 33554432. 53257 blocks available
- smb: \SMBCLIENTTESTDIR\> rm desktop.ini
- smb: \SMBCLIENTTESTDIR\> dir
- . D 0 Thu Dec 07 21:37:40 2012
- .. D 0 Thu Dec 07 21:37:40 2012
- 59609 blocks of size 33554432. 53257 blocks available
- smb: \SMBCLIENTTESTDIR\> cd ../
- smb: \> rmdir SMBCLIENTTESTDIR
- smb: \> dir SMBC*
- NT_STATUS_NO_SUCH_FILE listing \SMBC*
- 59609 blocks of size 33554432. 53257 blocks available
- smb: \>
A brief summary of the above interaction with the remote Windows 7 server using the smb command line is detailed in the list below including the command issued and a very brief explanation of what it does.
- ? – lists the smb prompt help menu
- ? lock – question mark <command> provides details about any of the available commands within the smb command line
- listconnect – will provide a list of open connections to the server
- showconnect – provides details about your connection to the server
- altname mseinstall.exe – provides the alternative name to a filename if an alternative name exists which it does in the case of the mseinstall.exe file
- allinfo Console-2 – provides all available details about a file which in this case is the Console-2 file
- du DynSetup.exe – provides file size information and total directory size information in this case DynSetup.exe represents 59609 blocks of the 33554432 blocks in the directory
- mkdir SMBCLIENTTESTDIR – create a directory by the name of SMBCLIENTTESTDIR
- dir SMBC* – the dir command will list all contents in the current directory unless string is passed then it will list files named by the string or if the * is used its a wildcard
- cd SMBCLIENTTESTDIR – change directory into the previously created directory
- dir – show that the newly created directory is empty by listing its contents
- put desktop.ini – upload a file located in the directory from which the initial smbclient command was issued which in this case uploads desktop.ini
- dir – list directory contents which in this case shows the newly uploaded desktop.ini
- rm desktop.ini – remove a file so in this case we are deleting the file we just uploaded, wanted to show how easy it is for remote file manipulation
- cd ../ – change directory up one level to the initial directory
- rmdir SMBCLIENTTESTDIR – remove a directory which in this case is the SMBCLIENTTESTDIR we initially created, again easily manipulating the remote file system
- dir SMBC* – confirming there are no files or directories that start with SMBC left in the current directory
The above commands issued summary is only a portion of the available commands but demonstrates fairly well how powerful smbclient can be especially when encountering unprotected SMB/CIFS file shares. An attacker could literally wreck a server via SMB if it is not configured properly. Now in the last set of examples we show how you can transfer files to and from a server using smbclient. Both of the below examples are perfect for scripting so if you wanted to create a loop to try to post a file to every server in a /24 network or something.
smbclient: Download File From Password Protected CIFS File Share
- root@bt:~/downloads# smbclient //server2/downloads -U alex -I 192.168.1.75 -c "get hash-generator.pl"
- Enter alex's password:
- Domain=[SERVER2] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
- getting file \hash-generator.pl of size 10502 as hash-generator.pl (5127.7 KiloBytes/sec) (average 5127.9 KiloBytes/sec)
- root@bt:~/downloads#
smbclient: Upload File To Unprotected CIFS File Share
- root@bt:~/downloads# smbclient //server1/Public --no-pass -I 192.168.1.245 -c "put evil-script.exe"
- Domain=[SERVER1] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
- putting file evil-script.exe as \evil-script.exe (16.8 kb/s) (average 16.8 kb/s)
- root@bt:~/downloads#
You should now have a good overview of the smbclient command line application capabilities but don’t forget to run “man smbclient” to obtain even more details about each of the available switches available to smbclient on Backtrack Linux. If anyone has any other useful smbclient commands please list them in the comments below because I feel like I am always finding out something else that smbclient is useful for!
