smbclient: The Comprehensive Guide
smbclient
is a command-line SMB/CIFS client from the Samba suite. Think of it as an FTP-like shell for Windows file shares (and Samba servers). It supports NTLM/Kerberos authentication, SMB2/3, encryption, and both interactive and scripted operation.
Quick Start
# List shares (anonymous / guest attempt)
smbclient -L //TARGET -N
# List shares with username (prompt for password)
smbclient -L //TARGET -U alice
# Connect to a share interactively
smbclient //TARGET/Share -U alice
# One-liner to fetch a file (non-interactive)
smbclient //TARGET/Share -U alice -c "get report.xlsx"
# Kerberos (after kinit)
kinit alice@EXAMPLE.COM
smbclient //filesrv01/Share -k
# Scripted recursive download
smbclient //TARGET/Share -U alice -c "recurse; prompt OFF; mget *"
Installation
- Debian/Ubuntu:
sudo apt install smbclient
- RHEL/CentOS/Fedora:
sudo dnf install samba-client
(orsamba-client
/samba
depending on distro) - macOS (Homebrew):
brew install samba
(binary issmbclient
) - Windows: Use WSL or a Unix-like environment; native Windows clients include
net use
and PowerShell cmdlets rather thansmbclient
.
Core Syntax
smbclient //SERVER/SHARE [options]
smbclient -L //SERVER [options] # Enumerate shares
Common options you’ll use daily:
-L
— list shares.-U USER
— specify username (-U 'user%pass'
to inline password).-N
— no password prompt (anonymous/guest).-k
— use Kerberos (requires a TGT viakinit
).-W DOMAIN
— set the domain/Workgroup.-I IP
— connect to a specific IP (bypass name resolution).-p PORT
— specify port (defaults to 445).-c "CMD; CMD; ..."
— run commands non-interactively.-A authfile
— auth file withusername=
,password=
,domain=
.--option='client min protocol=SMB2'
— constrain protocol.--option='client max protocol=SMB3'
— constrain protocol.--encrypt
— request SMB3 encryption when supported.--pw-nt-hash
— use NT hash in place of a password (if supported by your Samba build).
Auth file format (
-A
):username=alice password=Sup3rS3cret! domain=EXAMPLE
Interactive Command set (inside smbclient
)
Once connected, you get an FTP-style prompt. The most useful commands:
? or help # list commands
ls, dir # list directory
cd, lcd # change remote / local directory
pwd, lpwd # print remote / local directory
get FILE # download file
mget PATTERN # download multiple (respects mask/prompt)
put FILE # upload file
mput PATTERN # upload multiple
recurse ON|OFF # recurse into subdirectories for m* commands
prompt ON|OFF # confirm each transfer or not
mask PATTERN # set a filter (e.g., mask *.docx)
mkdir DIR # create directory
rmdir DIR # remove directory
del FILE # delete file
allinfo FILE # show metadata on a file
exit, quit # close session
Examples
# Download an entire share tree
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
# Targeted grab by type
smb: \> mask *.xlsx
smb: \> mget *
# Upload a file
smb: \> put ./toolkit.ps1 \\Tools\\toolkit.ps1
Typical Workflows
1) Share Enumeration
# Null/guest try
smbclient -L //filesrv01 -N
# With creds (domain or local)
smbclient -L //filesrv01 -U EXAMPLE\\alice
2) Browse & Pull Files
# Connect and browse
smbclient //filesrv01/Finance -U EXAMPLE\\alice
# Non-interactive one-shot
smbclient //filesrv01/Finance -U alice -c "cd Q4; get budget.xlsx"
3) Kerberos (SSO / no password on CLI)
kinit alice@EXAMPLE.COM
smbclient //filesrv01/Finance -k -c "ls"
4) Use an NT Hash (if supported)
# Useful for testing known hashes without cracking
smbclient //dc01/C$ -U EXAMPLE\\Administrator --pw-nt-hash
# (Will prompt for the 32-hex hash instead of a password)
5) Force Protocols (troubleshooting old/new servers)
# Modern default: require SMB2+
smbclient //old-nas/Public --option='client min protocol=SMB2'
# If you MUST talk to legacy SMB1/NT1 (not recommended):
smbclient //very-old-nas/Public --option='client min protocol=NT1' --option='client max protocol=NT1'
6) Encryption
# Request end-to-end encryption (SMB3)
smbclient //filesrv01/Secure -U alice --encrypt -c "ls"
7) Scripting Transfers
# Bash example: nightly pull of reports
smbclient //filesrv01/Reports -A /root/.smbauth -c "recurse; prompt OFF; mget *" \
&& echo "Reports synced at $(date)"
Comparison: smbclient
vs. Mounting
- smbclient: transient, FTP-like, great for quick tasks, enumeration, and scripted copies; runs as your process context.
- mount.cifs: permanent mount point; integrates with filesystem semantics (useful for apps, rsync, etc.). Requires kernel CIFS module and typically root or proper fstab options.
Authentication Modes
- Anonymous/Guest:
-N
or-U 'guest%'
if enabled on the server. - Username/Password (NTLM):
-U user
(prompts) or-U 'user%pass'
(avoid leaving in shell history). - Kerberos (SSO):
-k
afterkinit
; respects ticket lifetime and SPNs. - NT Hash:
--pw-nt-hash
(build-dependent). - Domain vs Local Accounts: Specify domain with
-W
orDOMAIN\\user
.
Security tip: Prefer Kerberos. Avoid putting cleartext passwords on the command line or in world-readable auth files.
Name Resolution & Targeting
-
Use
-I
to connect by IP if NetBIOS/DNS names are unreliable:smbclient //filesrv/Share -U alice -I 10.10.10.25
-
If the server expects a specific NetBIOS name, you can export
CLIENT_NTLMV2_AUTH=yes
and set--option='client use spnego = yes'
(often default). In AD/Kerberos environments, proper DNS and SPNs are key.
Troubleshooting & Gotchas
-
NT_STATUS_ACCESS_DENIED
: Bad creds or insufficient share/NTFS permissions. Try another user or check both share & NTFS ACLs. -
Protocol negotiation failures: The server may have SMB1 disabled (good). Use SMB2/3:
smbclient //server/share --option='client min protocol=SMB2' --option='client max protocol=SMB3'
Conversely, very old devices may require NT1 (avoid where possible).
-
Kerberos fails, NTLM works: Check time sync, SPNs, DNS, and that
klist
shows a valid TGT. -
Uploads succeed but files vanish: AV or FSRM quotas/screens may remove/quarantine. Check server policies.
-
Unicode/charset issues: Try
--option='client character set = UTF-8'
.
Red Team Perspective
Goal: Enumerate accessible data, validate creds, quietly exfiltrate, and minimize artifacts.
-
Anonymous & Guest Enumeration
smbclient -L //10.0.0.5 -N smbclient //10.0.0.5/Public -N -c "ls"
-
Credential Validation (Low-Noise)
- Prefer a single connection attempt to confirm creds per host/share rather than spraying.
smbclient -L //filesrv01 -U 'user%Password1!'
-
Token/SSO Abuse
- If running as a logged-in domain user on a Linux host with a valid TGT:
klist
→smbclient -k ...
.
- If running as a logged-in domain user on a Linux host with a valid TGT:
-
Targeted Collection
smbclient //filesrv01/Finance -U user -c "cd Q4; recurse; prompt OFF; mget *.xlsx"
-
IPC$ & Admin Shares
smbclient //HOST/IPC$ ...
can confirm access;C$
,ADMIN$
typically require admins.- For deeper AD enumeration, pair with
rpcclient
,samba-tool
, or use Impacket (smbclient.py
,secretsdump.py
) as needed.
-
OPSEC Tips
- Avoid putting creds in shell history; use
-A
with tight file perms (chmod 600
). - Use Kerberos where possible to avoid NTLM events and reduce cleartext exposure.
- Limit volume and frequency; prefer business hours; respect rules of engagement.
- Avoid putting creds in shell history; use
Ethics & Legality: Only test against systems you are explicitly authorized to assess.
Blue Team Perspective
Goal: Reduce attack surface, detect misuse, and preserve forensic signal.
Hardening Checklist
-
Disable SMB1 (NT1) everywhere.
-
Require SMB signing (and ideally SMB encryption) on servers and sensitive shares.
-
Eliminate Guest/Anonymous access; enforce authentication.
-
Least Privilege on share and NTFS permissions; use groups, not users.
-
Block lateral movement:
- Limit admin shares (
C$
,ADMIN$
) to admins; separate admin accounts. - Windows Firewall: restrict inbound 445 to trusted subnets.
- Limit admin shares (
-
Strong Auth:
- Kerberos preferred; limit or monitor NTLM. Disable LM/NTLMv1. Consider NTLM auditing policies.
-
Data Governance:
- Classify data; avoid “Everyone: Read” on broad shares.
- FSRM quotas/screens for exfil paths; DLP where applicable.
Monitoring & Detection
-
Windows Events:
- 4624/4625 (Logon successes/failures), Type 3 (network).
- 5140 (A network share object was accessed).
- 5145 (Detailed share access) — enable Object Access auditing.
- 4768/4769 (Kerberos TGT/TGS) for unusual service access.
-
File Server Logs:
- Audit specific directories (SACLs) for
ReadData
,ListDirectory
,WriteData
,Delete
.
- Audit specific directories (SACLs) for
-
Telemetry & Analytics:
- Look for large bursts of
Read
on sensitive shares. - Flag accesses by service accounts outside baselines.
- Detect first-time users to high-value shares (UEBA).
- Look for large bursts of
-
Network Controls:
- Segment file servers; inspect SMB for signing/encryption; alert on cleartext SMB1.
Response Playbook
- Contain: Temporarily block suspicious source on port 445; revoke tokens.
- Preserve: Collect Windows Security logs, SMB server logs, and packet captures (if feasible).
- Hunt: Correlate
5140/5145
with4624/4769
; look for mass enumeration patterns. - Remediate: Tighten ACLs; remove Guest paths; rotate credentials; enforce signing/encryption.
Security Best Practices for Operators
-
Prefer Kerberos (
-k
). -
Avoid inline passwords: use
-A
with strict file permissions. -
Use
--encrypt
on sensitive transfers. -
Always set protocol floors/ceilings explicitly in automation:
smbclient //srv/share -A /root/.smbauth \ --option='client min protocol=SMB2' \ --option='client max protocol=SMB3' \ --encrypt -c "recurse; prompt OFF; mget *"
Handy Cheat Sheet
# List shares (guest)
smbclient -L //HOST -N
# List shares (domain user)
smbclient -L //HOST -U DOMAIN\\user
# Connect to a share
smbclient //HOST/Share -U user
# Kerberos connect
kinit user@REALM && smbclient //HOST/Share -k
# Non-interactive fetch
smbclient //HOST/Share -U user -c "get file.docx"
# Recursive pull (no prompts)
smbclient //HOST/Share -U user -c "recurse; prompt OFF; mget *"
# Use auth file
smbclient //HOST/Share -A ~/.smbauth -c "ls"
# Force SMB2..SMB3 only
smbclient //HOST/Share --option='client min protocol=SMB2' --option='client max protocol=SMB3'
# Request encryption
smbclient //HOST/Share --encrypt -c "ls"
Appendix: Safe Automation Template
#!/usr/bin/env bash
set -Eeuo pipefail
SHARE="//filesrv01/Finance"
AUTH="/root/.smbauth" # chmod 600
LOCAL_DIR="/data/finance"
mkdir -p "$LOCAL_DIR"
cd "$LOCAL_DIR"
smbclient "$SHARE" -A "$AUTH" \
--option='client min protocol=SMB2' \
--option='client max protocol=SMB3' \
--encrypt \
-c "recurse; prompt OFF; mget *"
Final Notes
smbclient
is ideal for quick, scriptable SMB tasks; for deep AD/host enumeration pair it withrpcclient
,nbtstat
/smbstatus
, or the Impacket toolkit.- In modern environments, SMB2/3 with signing (and encryption where needed) should be the default posture.
Use this guide as a reference during assessments, incident response, or daily admin work.
***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.