# Samba (smb)

### smbclient

Remember to escape the double `\` before the target IP/Domain. Usually looks like `\\\\10.10.10.10`

The rest of the path also need escaping: `\\\\10.10.10.10\\users`  

<table><thead><tr><th width="207">Flag</th><th>Description</th></tr></thead><tbody><tr><td><code>-L</code></td><td>retrieve a list of available shares</td></tr><tr><td><code>-N</code></td><td>suppresses the password prompt (null session)</td></tr><tr><td><code>-U</code></td><td>Specify user (can be put after address)</td></tr></tbody></table>

{% hint style="info" %}
Order matters, for example: `-L -N` will ask for the password still while `-N -L` will work fine
{% endhint %}

### rpcclient

The [Remote Procedure Call](https://www.geeksforgeeks.org/remote-procedure-call-rpc-in-operating-system/) (`RPC`) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures.

[man page](https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html)

| `srvinfo`                 | Server information.                                                |
| ------------------------- | ------------------------------------------------------------------ |
| `enumdomains`             | Enumerate all domains that are deployed in the network.            |
| `querydominfo`            | Provides domain, server, and user information of deployed domains. |
| `netshareenumall`         | Enumerates all available shares.                                   |
| `netsharegetinfo <share>` | Provides information about a specific share.                       |
| `enumdomusers`            | Enumerates all domain users.                                       |
| `queryuser <RID>`         | Provides information about a specific user.                        |

```
$ rpcclient -U "" 10.129.14.128

Enter WORKGROUP\'s password:
rpcclient $> srvinfo
rpcclient $> enumdomains
rpcclient $> querydominfo
rpcclient $> netshareenumall
rpcclient $> netsharegetinfo <share-name>

rpcclient $> enumdomusers
rpcclient $> queryuser <rid>
rpcclient $> querygroup <group-rid>
```

Example of Bash command to enumerate every user based on rid

```
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```

{% hint style="info" %}
Other tools that automate this: [Samrdump](https://github.com/fortra/impacket/blob/master/examples/samrdump.py), [SMBMap](https://github.com/ShawnDEvans/smbmap) or [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)

Worth mentioning but more verbose: [enum4linux-ng](https://github.com/cddmp/enum4linux-ng)
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rtlcopymemory.com/footprinting/samba-smb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.