> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/network-share/smb-null-session/trick-0625.md).

# Anonymous SMB Access and Key Download

***

Using `smbclient` with the `-U Anonymous` flag attempts to connect to an SMB share without credentials, exploiting potential misconfigurations that allow guest or anonymous access. The `-N` flag is also commonly used for anonymous or null session logins, achieving the same result of attempting access without providing a password.

```bash
smbclient //$TARGET_IP/$SHARE -U Anonymous
```

Before attempting to connect to a specific share, it is often useful to list the available shares on the target server. This can be done anonymously using the `-L` flag along with `-N`:

```bash
smbclient -L //$TARGET_IP -N
```

This command attempts to list the shares accessible via anonymous login or null session.

Once a share name is identified, you can attempt to connect to it using either `-U Anonymous` or `-N`:

```bash
smbclient //$TARGET_IP/$SHARE -U Anonymous
```

or

```bash
smbclient //$TARGET_IP/$SHARE -N
```

Once connected, you can navigate the share (use `ls`) and download files using the `get` command. This is particularly useful for finding sensitive files like SSH keys (`id_rsa`, `id_rsa.pub`).

```bash
get id_rsa id_rsa.pub
```

Another tool for enumerating SMB shares is `smbmap`. It can also be used for anonymous enumeration of shares and permissions:

```bash
smbmap -H $TARGET_IP
```

For enumeration in Windows environments, PowerShell can be utilized. The `PowerHuntShares` module, for instance, includes functions to identify shares accessible without authentication. The `Get-AnonymousShare` function can be used to list shares on a target computer that permit anonymous access:

```powershell
Get-AnonymousShare -ComputerName $TARGET_IP
```

This command provides a way to discover shares that might be misconfigured to allow guest or anonymous access.
