smbclient: The Comprehensive Guide

smbclient is a command-line SMB/CIFS client from the Samba suite. Think of it as an FTP-like shell for Windows file shares (and Samba servers). It supports NTLM/Kerberos authentication, SMB2/3, encryption, and both interactive and scripted operation.


Quick Start

# List shares (anonymous / guest attempt)
smbclient -L //TARGET -N
 
# List shares with username (prompt for password)
smbclient -L //TARGET -U alice
 
# Connect to a share interactively
smbclient //TARGET/Share -U alice
 
# One-liner to fetch a file (non-interactive)
smbclient //TARGET/Share -U alice -c "get report.xlsx"
 
# Kerberos (after kinit)
kinit alice@EXAMPLE.COM
smbclient //filesrv01/Share -k
 
# Scripted recursive download
smbclient //TARGET/Share -U alice -c "recurse; prompt OFF; mget *"

Installation

  • Debian/Ubuntu: sudo apt install smbclient
  • RHEL/CentOS/Fedora: sudo dnf install samba-client (or samba-client/samba depending on distro)
  • macOS (Homebrew): brew install samba (binary is smbclient)
  • Windows: Use WSL or a Unix-like environment; native Windows clients include net use and PowerShell cmdlets rather than smbclient.

Core Syntax

smbclient //SERVER/SHARE [options]
smbclient -L //SERVER [options]      # Enumerate shares

Common options you’ll use daily:

  • -L — list shares.
  • -U USER — specify username (-U 'user%pass' to inline password).
  • -N — no password prompt (anonymous/guest).
  • -k — use Kerberos (requires a TGT via kinit).
  • -W DOMAIN — set the domain/Workgroup.
  • -I IP — connect to a specific IP (bypass name resolution).
  • -p PORT — specify port (defaults to 445).
  • -c "CMD; CMD; ..." — run commands non-interactively.
  • -A authfile — auth file with username=, password=, domain=.
  • --option='client min protocol=SMB2' — constrain protocol.
  • --option='client max protocol=SMB3' — constrain protocol.
  • --encrypt — request SMB3 encryption when supported.
  • --pw-nt-hash — use NT hash in place of a password (if supported by your Samba build).

Auth file format (-A):

username=alice
password=Sup3rS3cret!
domain=EXAMPLE

Interactive Command set (inside smbclient)

Once connected, you get an FTP-style prompt. The most useful commands:

? or help          # list commands
ls, dir            # list directory
cd, lcd            # change remote / local directory
pwd, lpwd          # print remote / local directory
get FILE           # download file
mget PATTERN       # download multiple (respects mask/prompt)
put FILE           # upload file
mput PATTERN       # upload multiple
recurse ON|OFF     # recurse into subdirectories for m* commands
prompt ON|OFF      # confirm each transfer or not
mask PATTERN       # set a filter (e.g., mask *.docx)
mkdir DIR          # create directory
rmdir DIR          # remove directory
del FILE           # delete file
allinfo FILE       # show metadata on a file
exit, quit         # close session

Examples

# Download an entire share tree
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
 
# Targeted grab by type
smb: \> mask *.xlsx
smb: \> mget *
 
# Upload a file
smb: \> put ./toolkit.ps1 \\Tools\\toolkit.ps1

Typical Workflows

1) Share Enumeration

# Null/guest try
smbclient -L //filesrv01 -N
 
# With creds (domain or local)
smbclient -L //filesrv01 -U EXAMPLE\\alice

2) Browse & Pull Files

# Connect and browse
smbclient //filesrv01/Finance -U EXAMPLE\\alice
 
# Non-interactive one-shot
smbclient //filesrv01/Finance -U alice -c "cd Q4; get budget.xlsx"

3) Kerberos (SSO / no password on CLI)

kinit alice@EXAMPLE.COM
smbclient //filesrv01/Finance -k -c "ls"

4) Use an NT Hash (if supported)

# Useful for testing known hashes without cracking
smbclient //dc01/C$ -U EXAMPLE\\Administrator --pw-nt-hash
# (Will prompt for the 32-hex hash instead of a password)

5) Force Protocols (troubleshooting old/new servers)

# Modern default: require SMB2+
smbclient //old-nas/Public --option='client min protocol=SMB2'
 
# If you MUST talk to legacy SMB1/NT1 (not recommended):
smbclient //very-old-nas/Public --option='client min protocol=NT1' --option='client max protocol=NT1'

6) Encryption

# Request end-to-end encryption (SMB3)
smbclient //filesrv01/Secure -U alice --encrypt -c "ls"

7) Scripting Transfers

# Bash example: nightly pull of reports
smbclient //filesrv01/Reports -A /root/.smbauth -c "recurse; prompt OFF; mget *" \
  && echo "Reports synced at $(date)"

Comparison: smbclient vs. Mounting

  • smbclient: transient, FTP-like, great for quick tasks, enumeration, and scripted copies; runs as your process context.
  • mount.cifs: permanent mount point; integrates with filesystem semantics (useful for apps, rsync, etc.). Requires kernel CIFS module and typically root or proper fstab options.

Authentication Modes

  • Anonymous/Guest: -N or -U 'guest%' if enabled on the server.
  • Username/Password (NTLM): -U user (prompts) or -U 'user%pass' (avoid leaving in shell history).
  • Kerberos (SSO): -k after kinit; respects ticket lifetime and SPNs.
  • NT Hash: --pw-nt-hash (build-dependent).
  • Domain vs Local Accounts: Specify domain with -W or DOMAIN\\user.

Security tip: Prefer Kerberos. Avoid putting cleartext passwords on the command line or in world-readable auth files.


Name Resolution & Targeting

  • Use -I to connect by IP if NetBIOS/DNS names are unreliable:

    smbclient //filesrv/Share -U alice -I 10.10.10.25
  • If the server expects a specific NetBIOS name, you can export CLIENT_NTLMV2_AUTH=yes and set --option='client use spnego = yes' (often default). In AD/Kerberos environments, proper DNS and SPNs are key.


Troubleshooting & Gotchas

  • NT_STATUS_ACCESS_DENIED: Bad creds or insufficient share/NTFS permissions. Try another user or check both share & NTFS ACLs.

  • Protocol negotiation failures: The server may have SMB1 disabled (good). Use SMB2/3:

    smbclient //server/share --option='client min protocol=SMB2' --option='client max protocol=SMB3'

    Conversely, very old devices may require NT1 (avoid where possible).

  • Kerberos fails, NTLM works: Check time sync, SPNs, DNS, and that klist shows a valid TGT.

  • Uploads succeed but files vanish: AV or FSRM quotas/screens may remove/quarantine. Check server policies.

  • Unicode/charset issues: Try --option='client character set = UTF-8'.


Red Team Perspective

Goal: Enumerate accessible data, validate creds, quietly exfiltrate, and minimize artifacts.

  1. Anonymous & Guest Enumeration

    smbclient -L //10.0.0.5 -N
    smbclient //10.0.0.5/Public -N -c "ls"
  2. Credential Validation (Low-Noise)

    • Prefer a single connection attempt to confirm creds per host/share rather than spraying.
    smbclient -L //filesrv01 -U 'user%Password1!'
  3. Token/SSO Abuse

    • If running as a logged-in domain user on a Linux host with a valid TGT: klistsmbclient -k ....
  4. Targeted Collection

    smbclient //filesrv01/Finance -U user -c "cd Q4; recurse; prompt OFF; mget *.xlsx"
  5. IPC$ & Admin Shares

    • smbclient //HOST/IPC$ ... can confirm access; C$, ADMIN$ typically require admins.
    • For deeper AD enumeration, pair with rpcclient, samba-tool, or use Impacket (smbclient.py, secretsdump.py) as needed.
  6. OPSEC Tips

    • Avoid putting creds in shell history; use -A with tight file perms (chmod 600).
    • Use Kerberos where possible to avoid NTLM events and reduce cleartext exposure.
    • Limit volume and frequency; prefer business hours; respect rules of engagement.

Ethics & Legality: Only test against systems you are explicitly authorized to assess.


Blue Team Perspective

Goal: Reduce attack surface, detect misuse, and preserve forensic signal.

Hardening Checklist

  • Disable SMB1 (NT1) everywhere.

  • Require SMB signing (and ideally SMB encryption) on servers and sensitive shares.

  • Eliminate Guest/Anonymous access; enforce authentication.

  • Least Privilege on share and NTFS permissions; use groups, not users.

  • Block lateral movement:

    • Limit admin shares (C$, ADMIN$) to admins; separate admin accounts.
    • Windows Firewall: restrict inbound 445 to trusted subnets.
  • Strong Auth:

    • Kerberos preferred; limit or monitor NTLM. Disable LM/NTLMv1. Consider NTLM auditing policies.
  • Data Governance:

    • Classify data; avoid “Everyone: Read” on broad shares.
    • FSRM quotas/screens for exfil paths; DLP where applicable.

Monitoring & Detection

  • Windows Events:

    • 4624/4625 (Logon successes/failures), Type 3 (network).
    • 5140 (A network share object was accessed).
    • 5145 (Detailed share access) — enable Object Access auditing.
    • 4768/4769 (Kerberos TGT/TGS) for unusual service access.
  • File Server Logs:

    • Audit specific directories (SACLs) for ReadData, ListDirectory, WriteData, Delete.
  • Telemetry & Analytics:

    • Look for large bursts of Read on sensitive shares.
    • Flag accesses by service accounts outside baselines.
    • Detect first-time users to high-value shares (UEBA).
  • Network Controls:

    • Segment file servers; inspect SMB for signing/encryption; alert on cleartext SMB1.

Response Playbook

  1. Contain: Temporarily block suspicious source on port 445; revoke tokens.
  2. Preserve: Collect Windows Security logs, SMB server logs, and packet captures (if feasible).
  3. Hunt: Correlate 5140/5145 with 4624/4769; look for mass enumeration patterns.
  4. Remediate: Tighten ACLs; remove Guest paths; rotate credentials; enforce signing/encryption.

Security Best Practices for Operators

  • Prefer Kerberos (-k).

  • Avoid inline passwords: use -A with strict file permissions.

  • Use --encrypt on sensitive transfers.

  • Always set protocol floors/ceilings explicitly in automation:

    smbclient //srv/share -A /root/.smbauth \
      --option='client min protocol=SMB2' \
      --option='client max protocol=SMB3' \
      --encrypt -c "recurse; prompt OFF; mget *"

Handy Cheat Sheet

# List shares (guest)
smbclient -L //HOST -N
 
# List shares (domain user)
smbclient -L //HOST -U DOMAIN\\user
 
# Connect to a share
smbclient //HOST/Share -U user
 
# Kerberos connect
kinit user@REALM && smbclient //HOST/Share -k
 
# Non-interactive fetch
smbclient //HOST/Share -U user -c "get file.docx"
 
# Recursive pull (no prompts)
smbclient //HOST/Share -U user -c "recurse; prompt OFF; mget *"
 
# Use auth file
smbclient //HOST/Share -A ~/.smbauth -c "ls"
 
# Force SMB2..SMB3 only
smbclient //HOST/Share --option='client min protocol=SMB2' --option='client max protocol=SMB3'
 
# Request encryption
smbclient //HOST/Share --encrypt -c "ls"

Appendix: Safe Automation Template

#!/usr/bin/env bash
set -Eeuo pipefail
SHARE="//filesrv01/Finance"
AUTH="/root/.smbauth"   # chmod 600
LOCAL_DIR="/data/finance"
 
mkdir -p "$LOCAL_DIR"
cd "$LOCAL_DIR"
 
smbclient "$SHARE" -A "$AUTH" \
  --option='client min protocol=SMB2' \
  --option='client max protocol=SMB3' \
  --encrypt \
  -c "recurse; prompt OFF; mget *"

Final Notes

  • smbclient is ideal for quick, scriptable SMB tasks; for deep AD/host enumeration pair it with rpcclient, nbtstat/smbstatus, or the Impacket toolkit.
  • In modern environments, SMB2/3 with signing (and encryption where needed) should be the default posture.

Use this guide as a reference during assessments, incident response, or daily admin work.