smbclient //$IP/$SHARE -U $USER -p $PORT
  • -I — IP address to connect to
  • -U — username to use for the connection
  • -P — password to use for the connection
  • -N — attempt to connect without a password
  • -W — domain (or workgroup) to use for the connection
  • -p — connect to a non-standard port
  • -c — attempt to execute the supplied command (!!!) on the server (if the user you’re connecting as has permission to do so)

The -p directive is only necessary if working over a non-standard port (e.g., not 445).

If -U is not included, smbclient will use your current (local) username, so probably best to fill something else in. If a password needs to be sent, specify the user as ${USER}%${PASSWORD}.

The interface is reminiscent of old-school FTP clients.

Reconnaissance

Samba services can be enumerated by smbclient using:

smbclient -L $SERVER_NAME -I $IP_ADDRESS

Here $SERVER_NAME is the machine’s NetBIOS domain name, which can be found with enum4linux.