smbclient: The Comprehensive Guide

smbclient is a command-line SMB/CIFS client from the Samba suite. Think of it as an FTP-like shell for Windows file shares (and Samba servers). It supports NTLM/Kerberos authentication, SMB2/3, encryption, and both interactive and scripted operation.


Quick Start

# List shares (anonymous / guest attempt)
smbclient -L //TARGET -N
 
# List shares with username (prompt for password)
smbclient -L //TARGET -U alice
 
# Connect to a share interactively
smbclient //TARGET/Share -U alice
 
# One-liner to fetch a file (non-interactive)
smbclient //TARGET/Share -U alice -c "get report.xlsx"
 
# Kerberos (after kinit)
kinit alice@EXAMPLE.COM
smbclient //filesrv01/Share -k
 
# Scripted recursive download
smbclient //TARGET/Share -U alice -c "recurse; prompt OFF; mget *"

Installation

  • Debian/Ubuntu: sudo apt install smbclient
  • RHEL/CentOS/Fedora: sudo dnf install samba-client (or samba-client/samba depending on distro)
  • macOS (Homebrew): brew install samba (binary is smbclient)
  • Windows: Use WSL or a Unix-like environment; native Windows clients include net use and PowerShell cmdlets rather than smbclient.

Core Syntax

smbclient //SERVER/SHARE [options]
smbclient -L //SERVER [options]      # Enumerate shares

Common options you’ll use daily:

  • -L — list shares.
  • -U USER — specify username (-U 'user%pass' to inline password).
  • -N — no password prompt (anonymous/guest).
  • -k — use Kerberos (requires a TGT via kinit).
  • -W DOMAIN — set the domain/Workgroup.
  • -I IP — connect to a specific IP (bypass name resolution).
  • -p PORT — specify port (defaults to 445).
  • -c "CMD; CMD; ..." — run commands non-interactively.
  • -A authfile — auth file with username=, password=, domain=.
  • --option='client min protocol=SMB2' — constrain protocol.
  • --option='client max protocol=SMB3' — constrain protocol.
  • --encrypt — request SMB3 encryption when supported.
  • --pw-nt-hash — use NT hash in place of a password (if supported by your Samba build).

Auth file format (-A):

username=alice
password=Sup3rS3cret!
domain=EXAMPLE

Interactive Command set (inside smbclient)

Once connected, you get an FTP-style prompt. The most useful commands:

? or help          # list commands
ls, dir            # list directory
cd, lcd            # change remote / local directory
pwd, lpwd          # print remote / local directory
get FILE           # download file
mget PATTERN       # download multiple (respects mask/prompt)
put FILE           # upload file
mput PATTERN       # upload multiple
recurse ON|OFF     # recurse into subdirectories for m* commands
prompt ON|OFF      # confirm each transfer or not
mask PATTERN       # set a filter (e.g., mask *.docx)
mkdir DIR          # create directory
rmdir DIR          # remove directory
del FILE           # delete file
allinfo FILE       # show metadata on a file
exit, quit         # close session

Examples

# Download an entire share tree
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
 
# Targeted grab by type
smb: \> mask *.xlsx
smb: \> mget *
 
# Upload a file
smb: \> put ./toolkit.ps1 \\Tools\\toolkit.ps1

Typical Workflows

1) Share Enumeration

# Null/guest try
smbclient -L //filesrv01 -N
 
# With creds (domain or local)
smbclient -L //filesrv01 -U EXAMPLE\\alice

2) Browse & Pull Files

# Connect and browse
smbclient //filesrv01/Finance -U EXAMPLE\\alice
 
# Non-interactive one-shot
smbclient //filesrv01/Finance -U alice -c "cd Q4; get budget.xlsx"

3) Kerberos (SSO / no password on CLI)

kinit alice@EXAMPLE.COM
smbclient //filesrv01/Finance -k -c "ls"

4) Use an NT Hash (if supported)

# Useful for testing known hashes without cracking
smbclient //dc01/C$ -U EXAMPLE\\Administrator --pw-nt-hash
# (Will prompt for the 32-hex hash instead of a password)

5) Force Protocols (troubleshooting old/new servers)

# Modern default: require SMB2+
smbclient //old-nas/Public --option='client min protocol=SMB2'
 
# If you MUST talk to legacy SMB1/NT1 (not recommended):
smbclient //very-old-nas/Public --option='client min protocol=NT1' --option='client max protocol=NT1'

6) Encryption

# Request end-to-end encryption (SMB3)
smbclient //filesrv01/Secure -U alice --encrypt -c "ls"

7) Scripting Transfers

# Bash example: nightly pull of reports
smbclient //filesrv01/Reports -A /root/.smbauth -c "recurse; prompt OFF; mget *" \
  && echo "Reports synced at $(date)"

Comparison: smbclient vs. Mounting

  • smbclient: transient, FTP-like, great for quick tasks, enumeration, and scripted copies; runs as your process context.
  • mount.cifs: permanent mount point; integrates with filesystem semantics (useful for apps, rsync, etc.). Requires kernel CIFS module and typically root or proper fstab options.

Authentication Modes

  • Anonymous/Guest: -N or -U 'guest%' if enabled on the server.
  • Username/Password (NTLM): -U user (prompts) or -U 'user%pass' (avoid leaving in shell history).
  • Kerberos (SSO): -k after kinit; respects ticket lifetime and SPNs.
  • NT Hash: --pw-nt-hash (build-dependent).
  • Domain vs Local Accounts: Specify domain with -W or DOMAIN\\user.

Security tip: Prefer Kerberos. Avoid putting cleartext passwords on the command line or in world-readable auth files.


Name Resolution & Targeting

  • Use -I to connect by IP if NetBIOS/DNS names are unreliable:

    smbclient //filesrv/Share -U alice -I 10.10.10.25
  • If the server expects a specific NetBIOS name, you can export CLIENT_NTLMV2_AUTH=yes and set --option='client use spnego = yes' (often default). In AD/Kerberos environments, proper DNS and SPNs are key.


Troubleshooting & Gotchas

  • NT_STATUS_ACCESS_DENIED: Bad creds or insufficient share/NTFS permissions. Try another user or check both share & NTFS ACLs.

  • Protocol negotiation failures: The server may have SMB1 disabled (good). Use SMB2/3:

    smbclient //server/share --option='client min protocol=SMB2' --option='client max protocol=SMB3'

    Conversely, very old devices may require NT1 (avoid where possible).

  • Kerberos fails, NTLM works: Check time sync, SPNs, DNS, and that klist shows a valid TGT.

  • Uploads succeed but files vanish: AV or FSRM quotas/screens may remove/quarantine. Check server policies.

  • Unicode/charset issues: Try --option='client character set = UTF-8'.


Red Team Perspective

Goal: Enumerate accessible data, validate creds, quietly exfiltrate, and minimize artifacts.

  1. Anonymous & Guest Enumeration

    smbclient -L //10.0.0.5 -N
    smbclient //10.0.0.5/Public -N -c "ls"
  2. Credential Validation (Low-Noise)

    • Prefer a single connection attempt to confirm creds per host/share rather than spraying.
    smbclient -L //filesrv01 -U 'user%Password1!'
  3. Token/SSO Abuse

    • If running as a logged-in domain user on a Linux host with a valid TGT: klistsmbclient -k ....
  4. Targeted Collection

    smbclient //filesrv01/Finance -U user -c "cd Q4; recurse; prompt OFF; mget *.xlsx"
  5. IPC$ & Admin Shares

    • smbclient //HOST/IPC$ ... can confirm access; C$, ADMIN$ typically require admins.
    • For deeper AD enumeration, pair with rpcclient, samba-tool, or use Impacket (smbclient.py, secretsdump.py) as needed.
  6. OPSEC Tips

    • Avoid putting creds in shell history; use -A with tight file perms (chmod 600).
    • Use Kerberos where possible to avoid NTLM events and reduce cleartext exposure.
    • Limit volume and frequency; prefer business hours; respect rules of engagement.

Ethics & Legality: Only test against systems you are explicitly authorized to assess.


Blue Team Perspective

Goal: Reduce attack surface, detect misuse, and preserve forensic signal.

Hardening Checklist

  • Disable SMB1 (NT1) everywhere.

  • Require SMB signing (and ideally SMB encryption) on servers and sensitive shares.

  • Eliminate Guest/Anonymous access; enforce authentication.

  • Least Privilege on share and NTFS permissions; use groups, not users.

  • Block lateral movement:

    • Limit admin shares (C$, ADMIN$) to admins; separate admin accounts.
    • Windows Firewall: restrict inbound 445 to trusted subnets.
  • Strong Auth:

    • Kerberos preferred; limit or monitor NTLM. Disable LM/NTLMv1. Consider NTLM auditing policies.
  • Data Governance:

    • Classify data; avoid “Everyone: Read” on broad shares.
    • FSRM quotas/screens for exfil paths; DLP where applicable.

Monitoring & Detection

  • Windows Events:

    • 4624/4625 (Logon successes/failures), Type 3 (network).
    • 5140 (A network share object was accessed).
    • 5145 (Detailed share access) — enable Object Access auditing.
    • 4768/4769 (Kerberos TGT/TGS) for unusual service access.
  • File Server Logs:

    • Audit specific directories (SACLs) for ReadData, ListDirectory, WriteData, Delete.
  • Telemetry & Analytics:

    • Look for large bursts of Read on sensitive shares.
    • Flag accesses by service accounts outside baselines.
    • Detect first-time users to high-value shares (UEBA).
  • Network Controls:

    • Segment file servers; inspect SMB for signing/encryption; alert on cleartext SMB1.

Response Playbook

  1. Contain: Temporarily block suspicious source on port 445; revoke tokens.
  2. Preserve: Collect Windows Security logs, SMB server logs, and packet captures (if feasible).
  3. Hunt: Correlate 5140/5145 with 4624/4769; look for mass enumeration patterns.
  4. Remediate: Tighten ACLs; remove Guest paths; rotate credentials; enforce signing/encryption.

Security Best Practices for Operators

  • Prefer Kerberos (-k).

  • Avoid inline passwords: use -A with strict file permissions.

  • Use --encrypt on sensitive transfers.

  • Always set protocol floors/ceilings explicitly in automation:

    smbclient //srv/share -A /root/.smbauth \
      --option='client min protocol=SMB2' \
      --option='client max protocol=SMB3' \
      --encrypt -c "recurse; prompt OFF; mget *"

Handy Cheat Sheet

# List shares (guest)
smbclient -L //HOST -N
 
# List shares (domain user)
smbclient -L //HOST -U DOMAIN\\user
 
# Connect to a share
smbclient //HOST/Share -U user
 
# Kerberos connect
kinit user@REALM && smbclient //HOST/Share -k
 
# Non-interactive fetch
smbclient //HOST/Share -U user -c "get file.docx"
 
# Recursive pull (no prompts)
smbclient //HOST/Share -U user -c "recurse; prompt OFF; mget *"
 
# Use auth file
smbclient //HOST/Share -A ~/.smbauth -c "ls"
 
# Force SMB2..SMB3 only
smbclient //HOST/Share --option='client min protocol=SMB2' --option='client max protocol=SMB3'
 
# Request encryption
smbclient //HOST/Share --encrypt -c "ls"

Appendix: Safe Automation Template

#!/usr/bin/env bash
set -Eeuo pipefail
SHARE="//filesrv01/Finance"
AUTH="/root/.smbauth"   # chmod 600
LOCAL_DIR="/data/finance"
 
mkdir -p "$LOCAL_DIR"
cd "$LOCAL_DIR"
 
smbclient "$SHARE" -A "$AUTH" \
  --option='client min protocol=SMB2' \
  --option='client max protocol=SMB3' \
  --encrypt \
  -c "recurse; prompt OFF; mget *"

Final Notes

  • smbclient is ideal for quick, scriptable SMB tasks; for deep AD/host enumeration pair it with rpcclient, nbtstat/smbstatus, or the Impacket toolkit.
  • In modern environments, SMB2/3 with signing (and encryption where needed) should be the default posture.

Use this guide as a reference during assessments, incident response, or daily admin work.


***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.