-
Notifications
You must be signed in to change notification settings - Fork 384
live smb shareenum command
skelsec edited this page Apr 14, 2021
·
1 revision
Enumerates shares, folders, files on the target(s) over SMB. If no target is specified it will pull the list of targets via LDAP.
This is extremely loud. Like... SIEMS melting down loud.
Be careful what you ask for. You usually don't want to enumerate every single file/folder on the target machine with security descriptors. While the tool will do what you ask of it please note that you can't know up front what you will find on the targets.
Also if you mess up the connection URL you will get your account locked out.
- Domain joined computer
- Executed under a domain user
None
-
--authemethod
: You may choose betweenntlm
orkerberos
authentication. Kerberos authentication will not work when IP address is supplied as target. Default:ntlm
-
--protocol-version
: You may choose to setup your connection using SMB2 or SMB3. SMB3 will be slow if there are not crypto libraries installed. Default: 2 -
--json
: Output results in JSON format. One json entry per line. The whole file is not following the JSOn specs (so you can stop the enum and still have data) -
--tsv
: Output results in TSV format. -
-t
or--target
: List of targets. This can be a file or a single IP or an IPnetwork or a hostname. Or multiple of them :) If not specified then the only target enumerated will be the one specified in the URL -
--skip-ldap
: Will skip LDAP enumeration of targets. -
-w
or--worker-count
: The amount of parallel workers performing the enum. Regardless of the amount, only one worker will be used per host to avoid machines melting -
--depth
: The maximum level of the directory tree to perform the enum in. Default: 3 -
--maxitems
: The maximum amount of files/folders to enumerate in one folder. Default: unlimited -
--dirsd
: Enumerate the security descriptors for folders. Default: No. -
--filesd
: Enumerate the security descriptors for files. Default: No. -
--progress
: Show progress bar. Use this combined with-o
-
-o
or--outfile
: Writes the secrets to the specified file -
--max-runtime
: Maximum runtime per host (in seconds) -
--es
or--exclude-share
: Do not enumerate the shares with this name -
--ed
or--exclude-dir
: Do not enumerate the directories with this name -
--ef
or--exclude-file
: Do not enumerate the files with this name -
-v
: Verbosity
-
pypykatz smb shareenum 'smb2+ntlm-password://TEST\victim:[email protected]'
: Enumerates all shares/folders/files on host10.10.10.2
with the maximum depth of 3. Prints results to the command line.