Becoming Pro with Mounting Volumes in Linux
smbclient: The Comprehensive Guide
smbclient
is a command-line SMB/CIFS client from the Samba suite. Think of it as an FTP-like shell for Windows file shares (and Samba servers). It supports NTLM/Kerberos authentication, SMB2/3, encryption, and both interactive and scripted operation.
Quick Start
# List shares (anonymous / guest attempt)
smbclient -L //TARGET -N
# List shares with username (prompt for password)
smbclient -L //TARGET -U alice
# Connect to a share interactively
smbclient //TARGET/Share -U alice
# One-liner to fetch a file (non-interactive)
smbclient //TARGET/Share -U alice -c "get report.xlsx"
# Kerberos (after kinit)
kinit alice@EXAMPLE.COM
smbclient //filesrv01/Share -k
# Scripted recursive download
smbclient //TARGET/Share -U alice -c "recurse; prompt OFF; mget *"
Installation
- Debian/Ubuntu:
sudo apt install smbclient
- RHEL/CentOS/Fedora:
sudo dnf install samba-client
(orsamba-client
/samba
depending on distro) - macOS (Homebrew):
brew install samba
(binary issmbclient
) - Windows: Use WSL or a Unix-like environment; native Windows clients include
net use
and PowerShell cmdlets rather thansmbclient
.
Core Syntax
smbclient //SERVER/SHARE [options]
smbclient -L //SERVER [options] # Enumerate shares
Common options you’ll use daily:
-L
— list shares.-U USER
— specify username (-U 'user%pass'
to inline password).-N
— no password prompt (anonymous/guest).-k
— use Kerberos (requires a TGT viakinit
).-W DOMAIN
— set the domain/Workgroup.-I IP
— connect to a specific IP (bypass name resolution).-p PORT
— specify port (defaults to 445).-c "CMD; CMD; ..."
— run commands non-interactively.-A authfile
— auth file withusername=
,password=
,domain=
.--option='client min protocol=SMB2'
— constrain protocol.--option='client max protocol=SMB3'
— constrain protocol.--encrypt
— request SMB3 encryption when supported.--pw-nt-hash
— use NT hash in place of a password (if supported by your Samba build).
Auth file format (
-A
):username=alice password=Sup3rS3cret! domain=EXAMPLE
Interactive Command set (inside smbclient
)
Once connected, you get an FTP-style prompt. The most useful commands:
? or help # list commands
ls, dir # list directory
cd, lcd # change remote / local directory
pwd, lpwd # print remote / local directory
get FILE # download file
mget PATTERN # download multiple (respects mask/prompt)
put FILE # upload file
mput PATTERN # upload multiple
recurse ON|OFF # recurse into subdirectories for m* commands
prompt ON|OFF # confirm each transfer or not
mask PATTERN # set a filter (e.g., mask *.docx)
mkdir DIR # create directory
rmdir DIR # remove directory
del FILE # delete file
allinfo FILE # show metadata on a file
exit, quit # close session
Examples
# Download an entire share tree
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
# Targeted grab by type
smb: \> mask *.xlsx
smb: \> mget *
# Upload a file
smb: \> put ./toolkit.ps1 \\Tools\\toolkit.ps1
Typical Workflows
1) Share Enumeration
# Null/guest try
smbclient -L //filesrv01 -N
# With creds (domain or local)
smbclient -L //filesrv01 -U EXAMPLE\\alice
2) Browse & Pull Files
# Connect and browse
smbclient //filesrv01/Finance -U EXAMPLE\\alice
# Non-interactive one-shot
smbclient //filesrv01/Finance -U alice -c "cd Q4; get budget.xlsx"
3) Kerberos (SSO / no password on CLI)
kinit alice@EXAMPLE.COM
smbclient //filesrv01/Finance -k -c "ls"
4) Use an NT Hash (if supported)
# Useful for testing known hashes without cracking
smbclient //dc01/C$ -U EXAMPLE\\Administrator --pw-nt-hash
# (Will prompt for the 32-hex hash instead of a password)
5) Force Protocols (troubleshooting old/new servers)
# Modern default: require SMB2+
smbclient //old-nas/Public --option='client min protocol=SMB2'
# If you MUST talk to legacy SMB1/NT1 (not recommended):
smbclient //very-old-nas/Public --option='client min protocol=NT1' --option='client max protocol=NT1'
6) Encryption
# Request end-to-end encryption (SMB3)
smbclient //filesrv01/Secure -U alice --encrypt -c "ls"
7) Scripting Transfers
# Bash example: nightly pull of reports
smbclient //filesrv01/Reports -A /root/.smbauth -c "recurse; prompt OFF; mget *" \
&& echo "Reports synced at $(date)"
Comparison: smbclient
vs. Mounting
- smbclient: transient, FTP-like, great for quick tasks, enumeration, and scripted copies; runs as your process context.
- mount.cifs: permanent mount point; integrates with filesystem semantics (useful for apps, rsync, etc.). Requires kernel CIFS module and typically root or proper fstab options.
Authentication Modes
- Anonymous/Guest:
-N
or-U 'guest%'
if enabled on the server. - Username/Password (NTLM):
-U user
(prompts) or-U 'user%pass'
(avoid leaving in shell history). - Kerberos (SSO):
-k
afterkinit
; respects ticket lifetime and SPNs. - NT Hash:
--pw-nt-hash
(build-dependent). - Domain vs Local Accounts: Specify domain with
-W
orDOMAIN\\user
.
Security tip: Prefer Kerberos. Avoid putting cleartext passwords on the command line or in world-readable auth files.
Name Resolution & Targeting
-
Use
-I
to connect by IP if NetBIOS/DNS names are unreliable:smbclient //filesrv/Share -U alice -I 10.10.10.25
-
If the server expects a specific NetBIOS name, you can export
CLIENT_NTLMV2_AUTH=yes
and set--option='client use spnego = yes'
(often default). In AD/Kerberos environments, proper DNS and SPNs are key.
Troubleshooting & Gotchas
-
NT_STATUS_ACCESS_DENIED
: Bad creds or insufficient share/NTFS permissions. Try another user or check both share & NTFS ACLs. -
Protocol negotiation failures: The server may have SMB1 disabled (good). Use SMB2/3:
smbclient //server/share --option='client min protocol=SMB2' --option='client max protocol=SMB3'
Conversely, very old devices may require NT1 (avoid where possible).
-
Kerberos fails, NTLM works: Check time sync, SPNs, DNS, and that
klist
shows a valid TGT. -
Uploads succeed but files vanish: AV or FSRM quotas/screens may remove/quarantine. Check server policies.
-
Unicode/charset issues: Try
--option='client character set = UTF-8'
.
Red Team Perspective
Goal: Enumerate accessible data, validate creds, quietly exfiltrate, and minimize artifacts.
-
Anonymous & Guest Enumeration
smbclient -L //10.0.0.5 -N smbclient //10.0.0.5/Public -N -c "ls"
-
Credential Validation (Low-Noise)
- Prefer a single connection attempt to confirm creds per host/share rather than spraying.
smbclient -L //filesrv01 -U 'user%Password1!'
-
Token/SSO Abuse
- If running as a logged-in domain user on a Linux host with a valid TGT:
klist
→smbclient -k ...
.
- If running as a logged-in domain user on a Linux host with a valid TGT:
-
Targeted Collection
smbclient //filesrv01/Finance -U user -c "cd Q4; recurse; prompt OFF; mget *.xlsx"
-
IPC$ & Admin Shares
smbclient //HOST/IPC$ ...
can confirm access;C$
,ADMIN$
typically require admins.- For deeper AD enumeration, pair with
rpcclient
,samba-tool
, or use Impacket (smbclient.py
,secretsdump.py
) as needed.
-
OPSEC Tips
- Avoid putting creds in shell history; use
-A
with tight file perms (chmod 600
). - Use Kerberos where possible to avoid NTLM events and reduce cleartext exposure.
- Limit volume and frequency; prefer business hours; respect rules of engagement.
- Avoid putting creds in shell history; use
Ethics & Legality: Only test against systems you are explicitly authorized to assess.
Blue Team Perspective
Goal: Reduce attack surface, detect misuse, and preserve forensic signal.
Hardening Checklist
-
Disable SMB1 (NT1) everywhere.
-
Require SMB signing (and ideally SMB encryption) on servers and sensitive shares.
-
Eliminate Guest/Anonymous access; enforce authentication.
-
Least Privilege on share and NTFS permissions; use groups, not users.
-
Block lateral movement:
- Limit admin shares (
C$
,ADMIN$
) to admins; separate admin accounts. - Windows Firewall: restrict inbound 445 to trusted subnets.
- Limit admin shares (
-
Strong Auth:
- Kerberos preferred; limit or monitor NTLM. Disable LM/NTLMv1. Consider NTLM auditing policies.
-
Data Governance:
- Classify data; avoid “Everyone: Read” on broad shares.
- FSRM quotas/screens for exfil paths; DLP where applicable.
Monitoring & Detection
-
Windows Events:
- 4624/4625 (Logon successes/failures), Type 3 (network).
- 5140 (A network share object was accessed).
- 5145 (Detailed share access) — enable Object Access auditing.
- 4768/4769 (Kerberos TGT/TGS) for unusual service access.
-
File Server Logs:
- Audit specific directories (SACLs) for
ReadData
,ListDirectory
,WriteData
,Delete
.
- Audit specific directories (SACLs) for
-
Telemetry & Analytics:
- Look for large bursts of
Read
on sensitive shares. - Flag accesses by service accounts outside baselines.
- Detect first-time users to high-value shares (UEBA).
- Look for large bursts of
-
Network Controls:
- Segment file servers; inspect SMB for signing/encryption; alert on cleartext SMB1.
Response Playbook
- Contain: Temporarily block suspicious source on port 445; revoke tokens.
- Preserve: Collect Windows Security logs, SMB server logs, and packet captures (if feasible).
- Hunt: Correlate
5140/5145
with4624/4769
; look for mass enumeration patterns. - Remediate: Tighten ACLs; remove Guest paths; rotate credentials; enforce signing/encryption.
Security Best Practices for Operators
-
Prefer Kerberos (
-k
). -
Avoid inline passwords: use
-A
with strict file permissions. -
Use
--encrypt
on sensitive transfers. -
Always set protocol floors/ceilings explicitly in automation:
smbclient //srv/share -A /root/.smbauth \ --option='client min protocol=SMB2' \ --option='client max protocol=SMB3' \ --encrypt -c "recurse; prompt OFF; mget *"
Handy Cheat Sheet
# List shares (guest)
smbclient -L //HOST -N
# List shares (domain user)
smbclient -L //HOST -U DOMAIN\\user
# Connect to a share
smbclient //HOST/Share -U user
# Kerberos connect
kinit user@REALM && smbclient //HOST/Share -k
# Non-interactive fetch
smbclient //HOST/Share -U user -c "get file.docx"
# Recursive pull (no prompts)
smbclient //HOST/Share -U user -c "recurse; prompt OFF; mget *"
# Use auth file
smbclient //HOST/Share -A ~/.smbauth -c "ls"
# Force SMB2..SMB3 only
smbclient //HOST/Share --option='client min protocol=SMB2' --option='client max protocol=SMB3'
# Request encryption
smbclient //HOST/Share --encrypt -c "ls"
Appendix: Safe Automation Template
#!/usr/bin/env bash
set -Eeuo pipefail
SHARE="//filesrv01/Finance"
AUTH="/root/.smbauth" # chmod 600
LOCAL_DIR="/data/finance"
mkdir -p "$LOCAL_DIR"
cd "$LOCAL_DIR"
smbclient "$SHARE" -A "$AUTH" \
--option='client min protocol=SMB2' \
--option='client max protocol=SMB3' \
--encrypt \
-c "recurse; prompt OFF; mget *"
Final Notes
smbclient
is ideal for quick, scriptable SMB tasks; for deep AD/host enumeration pair it withrpcclient
,nbtstat
/smbstatus
, or the Impacket toolkit.- In modern environments, SMB2/3 with signing (and encryption where needed) should be the default posture.
Use this guide as a reference during assessments, incident response, or daily admin work.