When working in Linux environments, discovering available SMB/CIFS shares is essential for network administration and file sharing operations. Unlike Windows' Network Neighborhood, Linux requires command-line tools to achieve similar functionality.
The most powerful tools for this task are:
nmblookup - part of Samba suite for NetBIOS name resolution
smbclient - SMB/CIFS client for accessing shares
nbtscan - NetBIOS names scanner
Start by identifying hosts in your workgroup:
nmblookup -S '*'
This will list all machines responding to NetBIOS name queries. The -S flag requests node status information.
To list shares on specific hosts:
smbclient -L //192.168.1.100 -N
Where -L lists available shares and -N suppresses password prompt for anonymous access.
Combine these tools in a bash script to scan your entire subnet:
#!/bin/bash
for ip in $(seq 1 254); do
host="192.168.1.$ip"
smbclient -L //$host -N &>/dev/null &&
echo "Shares on $host:" &&
smbclient -L //$host -N | grep -v "Anonymous login successful"
done
For a faster network overview:
nbtscan -r 192.168.1.0/24
This will show all machines with NetBIOS names, which you can then target for SMB share enumeration.
Remember that:
- Scanning networks may violate security policies
- Some hosts may log connection attempts
- Modern networks often block NetBIOS traffic
For more advanced scenarios:
from impacket.smbconnection import SMBConnection
conn = SMBConnection('*SMBSERVER', '192.168.1.100')
conn.login('', '')
shares = conn.listShares()
for share in shares:
print(share['shi1_netname'])
When working in Linux environments, you might need to discover available SMB (Server Message Block) or CIFS (Common Internet File System) shares on your local network. This is particularly useful for:
- Network administration tasks
- Scripting automated backups
- Troubleshooting file sharing issues
- Security auditing
Linux offers several powerful command-line tools for network share discovery:
# Basic package installation on Fedora/RHEL-based systems
sudo dnf install nmap smbclient samba-common-tools -yThis traditional method uses Samba's built-in tools:
# First, discover NetBIOS names in the network
nmblookup -S '*'
# Then list shares on a specific host
smbclient -L //192.168.1.100 -NFor a more comprehensive network scan:
# Scan for SMB services on the local subnet
nmap -p 445 --open -sV --script smb-enum-shares 192.168.1.0/24A more user-friendly approach that mimics Windows' network neighborhood:
smbtree -NHere's a bash script to automate the process:
#!/bin/bash
NETWORK="192.168.1.0/24"
echo "Scanning for SMB hosts..."
nmap -p 445 --open $NETWORK -oG - | grep "445/open" | awk '{print $2}' > smb_hosts.txt
echo "Found SMB hosts:"
cat smb_hosts.txt
echo "\nEnumerating shares..."
for host in $(cat smb_hosts.txt); do
echo -e "\nShares on $host:"
smbclient -L //$host -N | grep -E '^\\s+[^$]' | grep -v "IPC$"
doneWhen performing network scans:
- Always get proper authorization
- Be aware of corporate security policies
- Consider using --unprivileged flag with nmap if needed
- Limit scan rates with --max-rate to avoid network disruption
If you encounter problems:
# Check if SMB ports are accessible
telnet 192.168.1.100 445
# Verify Samba client configuration
testparm -s