# Samba (smb)

### smbclient

Remember to escape the double `\` before the target IP/Domain. Usually looks like `\\\\10.10.10.10`

The rest of the path also need escaping: `\\\\10.10.10.10\\users`  

<table><thead><tr><th width="207">Flag</th><th>Description</th></tr></thead><tbody><tr><td><code>-L</code></td><td>retrieve a list of available shares</td></tr><tr><td><code>-N</code></td><td>suppresses the password prompt (null session)</td></tr><tr><td><code>-U</code></td><td>Specify user (can be put after address)</td></tr></tbody></table>

{% hint style="info" %}
Order matters, for example: `-L -N` will ask for the password still while `-N -L` will work fine
{% endhint %}

### rpcclient

The [Remote Procedure Call](https://www.geeksforgeeks.org/remote-procedure-call-rpc-in-operating-system/) (`RPC`) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures.

[man page](https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html)

| `srvinfo`                 | Server information.                                                |
| ------------------------- | ------------------------------------------------------------------ |
| `enumdomains`             | Enumerate all domains that are deployed in the network.            |
| `querydominfo`            | Provides domain, server, and user information of deployed domains. |
| `netshareenumall`         | Enumerates all available shares.                                   |
| `netsharegetinfo <share>` | Provides information about a specific share.                       |
| `enumdomusers`            | Enumerates all domain users.                                       |
| `queryuser <RID>`         | Provides information about a specific user.                        |

```
$ rpcclient -U "" 10.129.14.128

Enter WORKGROUP\'s password:
rpcclient $> srvinfo
rpcclient $> enumdomains
rpcclient $> querydominfo
rpcclient $> netshareenumall
rpcclient $> netsharegetinfo <share-name>

rpcclient $> enumdomusers
rpcclient $> queryuser <rid>
rpcclient $> querygroup <group-rid>
```

Example of Bash command to enumerate every user based on rid

```
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```

{% hint style="info" %}
Other tools that automate this: [Samrdump](https://github.com/fortra/impacket/blob/master/examples/samrdump.py), [SMBMap](https://github.com/ShawnDEvans/smbmap) or [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)

Worth mentioning but more verbose: [enum4linux-ng](https://github.com/cddmp/enum4linux-ng)
{% endhint %}