Skip to content

live smb shareenum command

skelsec edited this page Apr 14, 2021 · 1 revision

What it does

Enumerates shares, folders, files on the target(s) over SMB. If no target is specified it will pull the list of targets via LDAP.

Remarks

This is extremely loud. Like... SIEMS melting down loud.
Be careful what you ask for. You usually don't want to enumerate every single file/folder on the target machine with security descriptors. While the tool will do what you ask of it please note that you can't know up front what you will find on the targets.
Also if you mess up the connection URL you will get your account locked out.

Requirements

  • Domain joined computer
  • Executed under a domain user

Subcommands

None

Switches

  • --authemethod: You may choose between ntlm or kerberos authentication. Kerberos authentication will not work when IP address is supplied as target. Default: ntlm
  • --protocol-version : You may choose to setup your connection using SMB2 or SMB3. SMB3 will be slow if there are not crypto libraries installed. Default: 2
  • --json : Output results in JSON format. One json entry per line. The whole file is not following the JSOn specs (so you can stop the enum and still have data)
  • --tsv : Output results in TSV format.
  • -t or --target: List of targets. This can be a file or a single IP or an IPnetwork or a hostname. Or multiple of them :) If not specified then the only target enumerated will be the one specified in the URL
  • --skip-ldap : Will skip LDAP enumeration of targets.
  • -w or --worker-count: The amount of parallel workers performing the enum. Regardless of the amount, only one worker will be used per host to avoid machines melting
  • --depth: The maximum level of the directory tree to perform the enum in. Default: 3
  • --maxitems: The maximum amount of files/folders to enumerate in one folder. Default: unlimited
  • --dirsd: Enumerate the security descriptors for folders. Default: No.
  • --filesd: Enumerate the security descriptors for files. Default: No.
  • --progress: Show progress bar. Use this combined with -o
  • -o or --outfile : Writes the secrets to the specified file
  • --max-runtime: Maximum runtime per host (in seconds)
  • --es or --exclude-share: Do not enumerate the shares with this name
  • --ed or --exclude-dir: Do not enumerate the directories with this name
  • --ef or --exclude-file: Do not enumerate the files with this name
  • -v: Verbosity

Examples

  • pypykatz smb shareenum 'smb2+ntlm-password://TEST\victim:[email protected]' : Enumerates all shares/folders/files on host 10.10.10.2 with the maximum depth of 3. Prints results to the command line.
Clone this wiki locally