SMBMap: Automating Network Share Enumeration for Security Testing

Hook

While most security tools focus on finding vulnerabilities in applications, SMBMap tackles a simpler problem: Windows file shares remain one of the most common sources of credential leaks and sensitive data exposure in enterprise networks.

Context

Penetration testers spend significant time during network assessments manually enumerating SMB shares, checking permissions, and searching for sensitive files across dozens or hundreds of Windows hosts. Traditional tools like smbclient require manual connection to each share, while enum4linux focuses primarily on user and group enumeration rather than file system operations. This creates a gap in workflows: you’ve compromised credentials (or captured NTLM hashes), but now face hours of tedious reconnaissance to map out accessible data.

SMBMap emerged to automate this reconnaissance phase specifically for offensive security engagements. The tool combines share enumeration, permission checking, file searching, and remote command execution into a single command-line tool designed with pen testing in mind. The design philosophy is pragmatic: assume you’re already inside the network with some level of access, then help you quickly identify where sensitive data lives and which shares offer pivot opportunities for further exploitation.

Technical Insight

SMBMap’s implementation handles authentication workflows that reflect real penetration testing scenarios: null sessions for unauthenticated enumeration, plaintext credentials, NTLM pass-the-hash (crucial when you’ve captured hashes but can’t crack them), and Kerberos support (marked as ‘super beta’ in the documentation) for environments with strict authentication policies.

The basic enumeration workflow starts with share discovery and permission checking. When you target a host, SMBMap attempts to connect to each discovered share and performs write tests to identify upload opportunities—critical for staging payloads during post-exploitation:

# Basic authenticated enumeration with hash (from README examples)
$ python smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20

# Quiet mode to suppress shares with no access
$ python smbmap.py -H 192.168.1.50 -u backup_admin -p 'password' -q

The -q quiet flag demonstrates thoughtful design: it suppresses output for shares where you have no access, focusing results on actionable targets. This matters when scanning multiple hosts—you want signal, not noise.

Recursive directory traversal reveals SMBMap’s power for automated reconnaissance. The --depth parameter controls how deep to search, preventing timeouts on massive file shares while still surfacing interesting directories:

# Recursively list shares with depth limit, exclude noisy shares
$ python smbmap.py -H 10.0.0.25 -u jdoe -p 'password' -r -q --depth 3 --exclude ADMIN$ IPC$

# Pattern-based auto-download with regex
$ python smbmap.py -H 10.0.0.25 -u jdoe -p 'password' -r -A '(web|global).(asax|config)' --depth 5

The -A pattern matching feature uses regex to identify and automatically download files matching sensitive patterns—web.config files, database connection strings, credential files. This transforms manual file hunting into an automated sweep. Combined with --host-file for bulk scanning and --csv for structured output, you can process multiple hosts and export results in structured formats.

Remote command execution bridges enumeration and exploitation. SMBMap implements two execution methods via the --mode flag: WMI (Windows Management Instrumentation) and PSExec. Both require administrative credentials:

# Execute command via WMI (default)
$ python smbmap.py -H 192.168.1.100 -u admin -p 'hash:here' -x 'whoami /all'

# PSExec mode for environments where WMI is restricted  
$ python smbmap.py -H 192.168.1.100 -u admin -p 'hash:here' -x 'net user' --mode psexec

The file content search (-F flag) is labeled in the README as ‘kind of experimental’ and requires admin access plus PowerShell on the victim host. It performs distributed pattern matching across file contents:

# Search for password patterns in file contents
$ python smbmap.py -H 10.0.0.25 -u admin -p 'password' -F '[Pp]assword' --search-path 'D:\HR\'

The tool also supports standard filesystem operations like download, upload, and delete for interacting with accessible shares.

Gotcha

SMBMap’s README includes honest caveats that deserve attention. The author explicitly states that features ‘have not been thoroughly tested’ and that bugs are ‘only really found and fixed while I’m on engagements,’ resulting in ‘slow progress.’ This isn’t a polished enterprise tool—it’s a working practitioner’s utility that gets patched when real-world use exposes issues. Kerberos support carries a ‘super beta’ warning, and the file content search is described as ‘kind of experimental,’ both suggesting these features may fail unpredictably.

The distributed content search (-F) has significant limitations documented in the README: it requires administrative privileges to execute remote commands and PowerShell installed on target hosts. The tool notes this feature must ‘run as root’ and is experimental, suggesting operational security concerns since spawning remote processes can be detected. The --search-timeout parameter exists because these searches can hang or timeout on large shares, with a default of 300 seconds requiring manual tuning for different environments.

Recursive enumeration with high depth values generates substantial SMB traffic—connecting to shares, listing directories, reading file metadata. The tool doesn’t appear to implement request throttling or delays, making it better suited for authorized assessments than covert operations where stealth matters.

The README’s feature list shows this is an actively developed tool (recently updated to Python 3), but the author’s acknowledgment that progress is ‘slow’ and depends on engagement-driven bug discovery means you should expect to encounter edge cases in production use.

Verdict

Use SMBMap if you’re conducting authorized penetration tests or red team engagements against Windows environments where you need fast, automated SMB reconnaissance. It excels at answering tactical questions quickly: Which shares can this compromised account access? Where are the writable shares for payload staging? Can I find config files with credentials? The pattern-matching auto-download (-A) and pass-the-hash support make it particularly valuable when you’ve obtained credentials or hashes and need to rapidly assess their value across the network. The CSV output and grep-friendly formats (-g) integrate cleanly into larger workflows. Skip it if you need production-stable tooling with comprehensive testing—the author’s honesty about limited testing and engagement-driven bug fixes means you’ll likely encounter edge cases. Also be cautious in environments where detection matters; enumeration generates significant SMB traffic. If you’re working in Kerberos-only environments, be prepared for instability given the ‘super beta’ status of Kerberos support. For pure file transfer operations or basic SMB interaction, native tools like smbclient may offer more reliability. SMBMap occupies a specific niche: it’s the tool you reach for during time-constrained assessments when you need SMB enumeration done quickly and can tolerate occasional bugs in exchange for powerful automation of share discovery, permission checking, pattern-based file searching, and remote command execution.

[![Featured on Starlog](https://starlog.is/api/badge/developer-tools/shawndevans-smbmap.svg)](https://starlog.is/api/badge-click/developer-tools/shawndevans-smbmap)