
crackmapexec can reveal domain name:

With list of usernames and passwords, you can try bruteforcing:

crackmapexec smb manager.htb -u Desktop/user.txt -p Desktop/user.txt --no-brute --continue-on-success


Check on non-default shares such as Replication or Users.

smbclient -N -L //

NTLM Auth Disabled

In such case like HTB-Scrambled, NTLM authentication might be disabled for security purpose and you won’t be able to use standard tools and you won’t be able to access any any service by IP address if it requires authentication.

Using impacket’s you can access SMB: -k scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip dc1.scrm.local


smbmap -H -u SABatchJobs -p SABatchJobs

Download Share

Recursively Download

smb: \> mask ""
smb: \> lcd .
smb: \> prompt OFF
smb: \> recurse ON
smb: \> mget *


Without Creds:

mount -t cifs // /mnt

With Creds:

sudo mount -t cifs -o 'username=audit2020,password=audit123~' // /mnt

Password Hunting

First take a look at what files are in there:

find .ls

You can also list files only: find . -type f

Look for passwords:

  • grep -ir 'password' .
  • grep -ir 'pwd' .
  • grep -ir 'pass' .

Interaction On Windows


On CMD, we can list the share as such:

dir \\ip-addr\Finance

To connect to a share, we can use net use as such:

net use n: \\ip-addr\Finance

If we need to authenticate, credentials can be provided as such:

net use n: \\ip-addr\Finance /user:user1 Password123

To find out how many files the share contains:

dir n: /a-d /s /b | find /c ":\"

We can look for files with certain names as such:

C:\htb>dir n:\*cred* /s /b
C:\htb>dir n:\*secret* /s /b

If we want to look for a specific word within a text file, we can use findstr:

c:\htb>findstr /s /i cred n:\*.*
n:\Contracts\private\secret.txt:file with all credentials


List the share:

Get-ChildItem \\ip-addr\Finance\

To connect to the share:

New-PSDrive -Name "N" -Root "\\ip-addr\Finance" -PSProvider "FileSystem"

To provide a username and password, we need to create PSCredential object:

PS C:\htb> $username = 'plaintext'
PS C:\htb> $password = 'Password123'
PS C:\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\htb> New-PSDrive -Name "N" -Root "\\\Finance" -PSProvider "FileSystem" -Credential $cred
Name           Used (GB)     Free (GB) Provider      Root                                                              CurrentLocation
----           ---------     --------- --------      ----                                                              ---------------
N                                      FileSystem    \\\Finance

To look for a file with certain name:

Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

To look for a file that contains the certain keyword:

Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List