smbclient: The Comprehensive Guide

smbclient is a command-line SMB/CIFS client from the Samba suite. Think of it as an FTP-like shell for Windows file shares (and Samba servers). It supports NTLM/Kerberos authentication, SMB2/3, encryption, and both interactive and scripted operation.

Quick Start

# List shares (anonymous / guest attempt)
smbclient -L //TARGET -N
 
# List shares with username (prompt for password)
smbclient -L //TARGET -U alice
 
# Connect to a share interactively
smbclient //TARGET/Share -U alice
 
# One-liner to fetch a file (non-interactive)
smbclient //TARGET/Share -U alice -c "get report.xlsx"
 
# Kerberos (after kinit)
kinit alice@EXAMPLE.COM
smbclient //filesrv01/Share -k
 
# Scripted recursive download
smbclient //TARGET/Share -U alice -c "recurse; prompt OFF; mget *"

Installation

• Debian/Ubuntu: sudo apt install smbclient
• RHEL/CentOS/Fedora: sudo dnf install samba-client (or samba-client/samba depending on distro)
• macOS (Homebrew): brew install samba (binary is smbclient)
• Windows: Use WSL or a Unix-like environment; native Windows clients include net use and PowerShell cmdlets rather than smbclient.

Core Syntax

smbclient //SERVER/SHARE [options]
smbclient -L //SERVER [options]      # Enumerate shares

Common options you’ll use daily:

• -L — list shares.
• -U USER — specify username (-U 'user%pass' to inline password).
• -N — no password prompt (anonymous/guest).
• -k — use Kerberos (requires a TGT via kinit).
• -W DOMAIN — set the domain/Workgroup.
• -I IP — connect to a specific IP (bypass name resolution).
• -p PORT — specify port (defaults to 445).
• -c "CMD; CMD; ..." — run commands non-interactively.
• -A authfile — auth file with username=, password=, domain=.
• --option='client min protocol=SMB2' — constrain protocol.
• --option='client max protocol=SMB3' — constrain protocol.
• --encrypt — request SMB3 encryption when supported.
• --pw-nt-hash — use NT hash in place of a password (if supported by your Samba build).

Auth file format (-A):

username=alice
password=Sup3rS3cret!
domain=EXAMPLE

Interactive Command set (inside smbclient)

Once connected, you get an FTP-style prompt. The most useful commands:

? or help          # list commands
ls, dir            # list directory
cd, lcd            # change remote / local directory
pwd, lpwd          # print remote / local directory
get FILE           # download file
mget PATTERN       # download multiple (respects mask/prompt)
put FILE           # upload file
mput PATTERN       # upload multiple
recurse ON|OFF     # recurse into subdirectories for m* commands
prompt ON|OFF      # confirm each transfer or not
mask PATTERN       # set a filter (e.g., mask *.docx)
mkdir DIR          # create directory
rmdir DIR          # remove directory
del FILE           # delete file
allinfo FILE       # show metadata on a file
exit, quit         # close session

Examples

# Download an entire share tree
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
 
# Targeted grab by type
smb: \> mask *.xlsx
smb: \> mget *
 
# Upload a file
smb: \> put ./toolkit.ps1 \\Tools\\toolkit.ps1

Typical Workflows

1) Share Enumeration

# Null/guest try
smbclient -L //filesrv01 -N
 
# With creds (domain or local)
smbclient -L //filesrv01 -U EXAMPLE\\alice

2) Browse & Pull Files

# Connect and browse
smbclient //filesrv01/Finance -U EXAMPLE\\alice
 
# Non-interactive one-shot
smbclient //filesrv01/Finance -U alice -c "cd Q4; get budget.xlsx"

3) Kerberos (SSO / no password on CLI)

kinit alice@EXAMPLE.COM
smbclient //filesrv01/Finance -k -c "ls"

4) Use an NT Hash (if supported)

# Useful for testing known hashes without cracking
smbclient //dc01/C$ -U EXAMPLE\\Administrator --pw-nt-hash
# (Will prompt for the 32-hex hash instead of a password)

5) Force Protocols (troubleshooting old/new servers)

# Modern default: require SMB2+
smbclient //old-nas/Public --option='client min protocol=SMB2'
 
# If you MUST talk to legacy SMB1/NT1 (not recommended):
smbclient //very-old-nas/Public --option='client min protocol=NT1' --option='client max protocol=NT1'

6) Encryption

# Request end-to-end encryption (SMB3)
smbclient //filesrv01/Secure -U alice --encrypt -c "ls"

7) Scripting Transfers

# Bash example: nightly pull of reports
smbclient //filesrv01/Reports -A /root/.smbauth -c "recurse; prompt OFF; mget *" \
  && echo "Reports synced at $(date)"

Comparison: smbclient vs. Mounting

• smbclient: transient, FTP-like, great for quick tasks, enumeration, and scripted copies; runs as your process context.
• mount.cifs: permanent mount point; integrates with filesystem semantics (useful for apps, rsync, etc.). Requires kernel CIFS module and typically root or proper fstab options.

Authentication Modes

• Anonymous/Guest: -N or -U 'guest%' if enabled on the server.
• Username/Password (NTLM): -U user (prompts) or -U 'user%pass' (avoid leaving in shell history).
• Kerberos (SSO): -k after kinit; respects ticket lifetime and SPNs.
• NT Hash: --pw-nt-hash (build-dependent).
• Domain vs Local Accounts: Specify domain with -W or DOMAIN\\user.

Security tip: Prefer Kerberos. Avoid putting cleartext passwords on the command line or in world-readable auth files.

Name Resolution & Targeting

• Use -I to connect by IP if NetBIOS/DNS names are unreliable:

  smbclient //filesrv/Share -U alice -I 10.10.10.25

• If the server expects a specific NetBIOS name, you can export CLIENT_NTLMV2_AUTH=yes and set --option='client use spnego = yes' (often default). In AD/Kerberos environments, proper DNS and SPNs are key.

Troubleshooting & Gotchas

• NT_STATUS_ACCESS_DENIED: Bad creds or insufficient share/NTFS permissions. Try another user or check both share & NTFS ACLs.

• Protocol negotiation failures: The server may have SMB1 disabled (good). Use SMB2/3:

  smbclient //server/share --option='client min protocol=SMB2' --option='client max protocol=SMB3'

  Conversely, very old devices may require NT1 (avoid where possible).

• Kerberos fails, NTLM works: Check time sync, SPNs, DNS, and that klist shows a valid TGT.

• Uploads succeed but files vanish: AV or FSRM quotas/screens may remove/quarantine. Check server policies.

• Unicode/charset issues: Try --option='client character set = UTF-8'.

Red Team Perspective

Goal: Enumerate accessible data, validate creds, quietly exfiltrate, and minimize artifacts.

1. Anonymous & Guest Enumeration

   smbclient -L //10.0.0.5 -N
   smbclient //10.0.0.5/Public -N -c "ls"

2. Credential Validation (Low-Noise)

   • Prefer a single connection attempt to confirm creds per host/share rather than spraying.

   smbclient -L //filesrv01 -U 'user%Password1!'

3. Token/SSO Abuse

   • If running as a logged-in domain user on a Linux host with a valid TGT: klist → smbclient -k ....

4. Targeted Collection

   smbclient //filesrv01/Finance -U user -c "cd Q4; recurse; prompt OFF; mget *.xlsx"

5. IPC$ & Admin Shares

   • smbclient //HOST/IPC$ ... can confirm access; C$, ADMIN$ typically require admins.
   • For deeper AD enumeration, pair with rpcclient, samba-tool, or use Impacket (smbclient.py, secretsdump.py) as needed.

6. OPSEC Tips

   • Avoid putting creds in shell history; use -A with tight file perms (chmod 600).
   • Use Kerberos where possible to avoid NTLM events and reduce cleartext exposure.
   • Limit volume and frequency; prefer business hours; respect rules of engagement.

Ethics & Legality: Only test against systems you are explicitly authorized to assess.

Blue Team Perspective

Goal: Reduce attack surface, detect misuse, and preserve forensic signal.

Hardening Checklist

• Disable SMB1 (NT1) everywhere.

• Require SMB signing (and ideally SMB encryption) on servers and sensitive shares.

• Eliminate Guest/Anonymous access; enforce authentication.

• Least Privilege on share and NTFS permissions; use groups, not users.

• Block lateral movement:

  • Limit admin shares (C$, ADMIN$) to admins; separate admin accounts.
  • Windows Firewall: restrict inbound 445 to trusted subnets.

• Strong Auth:

  • Kerberos preferred; limit or monitor NTLM. Disable LM/NTLMv1. Consider NTLM auditing policies.

• Data Governance:

  • Classify data; avoid “Everyone: Read” on broad shares.
  • FSRM quotas/screens for exfil paths; DLP where applicable.

Monitoring & Detection

• Windows Events:

  • 4624/4625 (Logon successes/failures), Type 3 (network).
  • 5140 (A network share object was accessed).
  • 5145 (Detailed share access) — enable Object Access auditing.
  • 4768/4769 (Kerberos TGT/TGS) for unusual service access.

• File Server Logs:

  • Audit specific directories (SACLs) for ReadData, ListDirectory, WriteData, Delete.

• Telemetry & Analytics:

  • Look for large bursts of Read on sensitive shares.
  • Flag accesses by service accounts outside baselines.
  • Detect first-time users to high-value shares (UEBA).

• Network Controls:

  • Segment file servers; inspect SMB for signing/encryption; alert on cleartext SMB1.

Response Playbook

1. Contain: Temporarily block suspicious source on port 445; revoke tokens.
2. Preserve: Collect Windows Security logs, SMB server logs, and packet captures (if feasible).
3. Hunt: Correlate 5140/5145 with 4624/4769; look for mass enumeration patterns.
4. Remediate: Tighten ACLs; remove Guest paths; rotate credentials; enforce signing/encryption.

Security Best Practices for Operators

• Prefer Kerberos (-k).

• Avoid inline passwords: use -A with strict file permissions.

• Use --encrypt on sensitive transfers.

• Always set protocol floors/ceilings explicitly in automation:

  smbclient //srv/share -A /root/.smbauth \
    --option='client min protocol=SMB2' \
    --option='client max protocol=SMB3' \
    --encrypt -c "recurse; prompt OFF; mget *"

Handy Cheat Sheet

# List shares (guest)
smbclient -L //HOST -N
 
# List shares (domain user)
smbclient -L //HOST -U DOMAIN\\user
 
# Connect to a share
smbclient //HOST/Share -U user
 
# Kerberos connect
kinit user@REALM && smbclient //HOST/Share -k
 
# Non-interactive fetch
smbclient //HOST/Share -U user -c "get file.docx"
 
# Recursive pull (no prompts)
smbclient //HOST/Share -U user -c "recurse; prompt OFF; mget *"
 
# Use auth file
smbclient //HOST/Share -A ~/.smbauth -c "ls"
 
# Force SMB2..SMB3 only
smbclient //HOST/Share --option='client min protocol=SMB2' --option='client max protocol=SMB3'
 
# Request encryption
smbclient //HOST/Share --encrypt -c "ls"

Appendix: Safe Automation Template

#!/usr/bin/env bash
set -Eeuo pipefail
SHARE="//filesrv01/Finance"
AUTH="/root/.smbauth"   # chmod 600
LOCAL_DIR="/data/finance"
 
mkdir -p "$LOCAL_DIR"
cd "$LOCAL_DIR"
 
smbclient "$SHARE" -A "$AUTH" \
  --option='client min protocol=SMB2' \
  --option='client max protocol=SMB3' \
  --encrypt \
  -c "recurse; prompt OFF; mget *"

Final Notes

• smbclient is ideal for quick, scriptable SMB tasks; for deep AD/host enumeration pair it with rpcclient, nbtstat/smbstatus, or the Impacket toolkit.
• In modern environments, SMB2/3 with signing (and encryption where needed) should be the default posture.

Use this guide as a reference during assessments, incident response, or daily admin work.

Related Cybersecurity Guides and Tutorials:

Penetration Testing Cheat Sheet

Becoming Pro with Mounting Volumes in Linux

Understanding iptables: The Linux Firewall Tool

Understanding DHCP in Cybersecurity