The problem with Smbmap

Fahri Korkmaz
Jan 23, 2023

--

When using Smbmap in your Red Team engagement, keep in mind, that Smbmap creates a random directory at the root of each SMB Share to check for write privileges, which makes it less stealthy :0

It deletes that directory afterward (when no exception is thrown).

But the Blue Team can still detect it by listening for file creation events at the root directory of every share.

The name of the directory is by default 10 characters long and consists of only uppercase letters. So this regex should detect it: ^[A-Z]{10}$

Recommendation

I recommend using more dumb tools for SMB enumeration, which provide the bare minimum functionality for your use case. Or if you accept the risk, then just patch Smbmap, so it uses a more realistic directory name, which blends into everyday traffic/actions of your client (target).

--

--