Superior CTF

1. INTRODUCTION

SMBMap is a powerful SMB enumeration tool used to:

bash

List shares

bash

Check permissions

bash

Read/write files

bash

Test authentication

bash

Execute commands (when allowed)

Common in:

bash

Internal pentesting

bash

Active Directory testing

bash

CTF foothold enumeration

2. BASIC ENUMERATION

List SMB shares on a host:

bash

smbmap -H <IP>

Example:

bash

smbmap -H 10.10.10.5

3. AUTHENTICATED ENUMERATION

Provide username and password:

bash

smbmap -H <IP> -u <USER> -p <PASS>

Null session (guest / anonymous):

bash

smbmap -H 10.10.10.5 -u "" -p ""

4. LIST SHARE PERMISSIONS

Show read/write/execute permissions:

bash

smbmap -H 10.10.10.5 -u admin -p admin123

Permissions meaning:

bash

R : read

bash

W : write

bash

X : execute

5. SEARCH FOR SPECIFIC FILES

Search recursively for files containing a keyword:

bash

smbmap -H <IP> -R <KEYWORD>

Example:

bash

smbmap -H 10.10.10.5 -R backup

6. DOWNLOAD FILES

Download a file from a share:

bash

smbmap -H <IP> --download <SHARE/PATH>

Example:

bash

smbmap -H 10.10.10.5 --download "public/creds.txt"

7. UPLOAD FILES (IF WRITE ACCESS)

Upload a local file to a writable share:

bash

smbmap -H <IP> --upload local.txt share/uploaded.txt

Used for:

bash

Privilege escalation scripts

bash

Planting payloads in labs/CTFs

8. RECURSIVE SHARE ENUMERATION

List all files recursively:

bash

smbmap -H 10.10.10.5 -R

Useful to discover:

bash

Password files

bash

Backups

bash

Configuration files

bash

Sensitive notes

9. CHECK ACCESS TO A SPECIFIC SHARE

Test permission for a single share:

bash

smbmap -H 10.10.10.5 -u bob -p bob123 -s public

10. EXECUTE COMMANDS (IF SERVER ALLOWS)

Some Windows hosts allow RCE via anonymous or authenticated IPC$.

Execute a command:

bash

smbmap -H <IP> -x "ipconfig"

Used for:

bash

Foothold on Windows machines

bash

Testing SMB-to-RCE vulnerabilities

11. BRUTE-FORCE TESTING

Try multiple usernames/passwords:

bash

smbmap -H <IP> -u users.txt -p passwords.txt

Useful for:

bash

Weak domain credentials

bash

User enumeration in AD environments

12. COMBINING WITH OTHER TOOLS

SMBMap works well with:

bash

enum4linux : enumerate users/groups

bash

crackmapexec : large-scale SMB testing

bash

nmap --script smb* : vulnerability detection

13. FULL CTF WORKFLOW

1. Enumerate shares:

bash

smbmap -H 10.10.10.5

2. Try null session:

bash

smbmap -H 10.10.10.5 -u "" -p ""

3. Identify share permissions.

4. Recursively list files:

bash

smbmap -H 10.10.10.5 -R

5. Download interesting files (creds, configs, backups):

bash

smbmap -H <IP> --download "<share/file>"

6. Upload payload if write access exists.

7. Try command execution:

bash

smbmap -H <IP> -x "whoami"

8. Pivot using gained credentials:

bash

RDP

bash

WinRM

bash

SMB

bash

SSH

SMBMAP — Practical Guide

1. INTRODUCTION

2. BASIC ENUMERATION

3. AUTHENTICATED ENUMERATION

4. LIST SHARE PERMISSIONS

5. SEARCH FOR SPECIFIC FILES

6. DOWNLOAD FILES

7. UPLOAD FILES (IF WRITE ACCESS)

8. RECURSIVE SHARE ENUMERATION

9. CHECK ACCESS TO A SPECIFIC SHARE

10. EXECUTE COMMANDS (IF SERVER ALLOWS)

11. BRUTE-FORCE TESTING

12. COMBINING WITH OTHER TOOLS

13. FULL CTF WORKFLOW

1. Enumerate shares:

2. Try null session:

3. Identify share permissions.

4. Recursively list files:

5. Download interesting files (creds, configs, backups):

6. Upload payload if write access exists.

7. Try command execution:

8. Pivot using gained credentials: