How to Scan and Audit SMB Shares with smbmap and masscan

🧠 TL;DR

Legacy SMB shares are messy. This guide helps you scan, audit, and report on file share misconfigurations using Kali Linux, masscan, smbmap, and cron. Includes a script with email output, filtering, and file archiving — so you don’t have to do it manually every time.

🗂️ Quick Navigation

Overview

In just about every organization, the first “real” IT project inevitably involves sorting out the file shares. The pattern is familiar: mountains of legacy data, confusing access controls built up over a decade or more, and one or two overworked servers running an OS that hasn’t been patched since the early 2010s.

Add to that a long list of “temporary” admin shares set up over the years for things like install files, temp dumps, or mystery purposes no one remembers — and somehow, they’ve become critical infrastructure.

For years, I didn’t have a consistent, efficient way to get visibility over the mess. But recently, I came across two tools that finally made the process clean and repeatable:

  • masscan – Rapid port scanner. Finds open SMB ports on your network.
  • smbmap – Audits accessible SMB shares and reports what users can access.

🛠️ Manual SMB Audit

Prerequisites

Make sure you have a Kali Linux VM set up. It’s a solid choice for security auditing and has the tools we need pre-installed (or easy to install).

An account in Active Directory with minimal access (e.g. a domain user) in this example its Kali.SMB@Hay-Ellis.local

Step 1: Scan for SMB Hosts with masscan

Important note: masscan can scan the entire internet. You probably don’t want that. Either make sure your Kali VM has no internet access or limit your scan to your internal subnets. And yes, obviously your internal servers aren’t internet-facing… right?

sudo masscan -p445 10.0.0.0/8 --rate=10000 > smb-ip-list.txt

What this does:

  • -p445: Targets the SMB port.
  • 10.0.0.0/8: Adjust this to match your internal IP range.
  • --rate=10000: Controls how fast packets are sent. This rate is quick but won’t overload your VM or network.
  • > smb-ip-list.txt: Outputs results to a file for the next step.

Step 2: Clean Up the Output with sed

masscan’s output isn’t formatted for direct use — it includes some extra text we don’t need. Clean it up with:

sed -i 's/Discovered open port 445\/tcp on //g' smb-ip-list.txt

Now you’ll have a tidy list of IP addresses — ready to be audited.

Step 3: Audit Shares with smbmap

The real value comes from identifying what’s actually accessible across the network. For this, use a domain account with minimal privileges — just a regular domain user. That gives you visibility into any shares that are open to “Everyone,” “Domain Users,” or similarly broad groups.

smbmap --host-file smb-ip-list.txt -u kali.smb -d yourdomain -p yourpassword --no-banner --no-update -g smb-results.txt

What this does:

  • --host-file: Uses your list of IPs from masscan.
  • -u, -d, -p: Domain credentials. Use --prompt instead of -p if you’d rather not have your password in your shell history.
  • --no-banner, --no-update: Keeps the output clean.
  • -g smb-results.txt: Saves the output to a file.

Step 4: Remove the Noise

The output will include a lot of system shares and restricted access entries. These can be filtered out using sed:

sed -i '/privs:NO_ACCESS/d' smb-results.txt
sed -i '/share:IPC$, privs:READ_ONLY/d' smb-results.txt
sed -i '/share:print$, privs:READ_ONLY/d' smb-results.txt
sed -i '/share:SYSVOL, privs:READ_ONLY/d' smb-results.txt
sed -i '/share:NETLOGON, privs:READ_ONLY/d' smb-results.txt

This leaves you with a much more relevant list — shares that are potentially open, misconfigured, or just generally in need of review.

🤖 Automating Everything with Cron & Email

Once you’ve proven the manual steps work, the next logical step is automation. Because, let’s be honest — if it isn’t automated, it probably isn’t happening regularly.

A few things I’m assuming you already have in place:

  • Crontab is functional and you’re comfortable scheduling tasks.
  • You’ve got a mail relay on the network that’ll accept traffic from your Kali box.
  • You’re okay with storing credentials in a local file (with proper permissions, of course).

I used ChatGPT to help streamline parts of this script — especially around handling credentials securely. If you’ve got improvements, feel free to send them my way.

Step 1: Create a Working Directory

Let’s keep things tidy. All audit scripts and outputs will live in /opt/scripts/01-audit-smb

sudo mkdir -p /opt/scripts/01-audit-smb
sudo mkdir -p /opt/scripts/01-audit-smb/archive
sudo mkdir -p /opt/scripts/01-audit-smb/logs
sudo chmod 700 /opt/scripts/01-audit-smb
sudo chown root:root /opt/scripts/01-audit-smb

This locks the directory down so only root can touch it. No surprises later.

Step 2: Build the Script

Create the main script file:

sudo nano /opt/scripts/01-audit-smb/audit-smbsigning.sh

Paste in the following:

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

#audit-smbsigning
#
#This script audits smb and emails out a report.
#
# Created by Ashley Hay-Ellis 16/04/2025

# Set filename and get current date
ROOTDIR="/opt/scripts/01-audit-smb"
TODAY=$(date +%Y_%m_%d)

# Load credentials
source ${ROOTDIR}/.smb-creds

#define all the files to be used in the script
SMBFILE="${ROOTDIR}/audit_SMB_${TODAY}.txt"
SMBSIGNFILE="${ROOTDIR}/audit_SMB_signing_${TODAY}.txt"
SMBV1FILE="${ROOTDIR}/audit_SMB_v1_${TODAY}.txt"
IPFILE="${ROOTDIR}/smbiplist.txt"


# Check if the files exists if yes delete them.
[ -f "$IPFILE" ] && rm "$IPFILE"
[ -f "$SMBFILE" ] && rm "$SMBFILE"
[ -f "$SMBV1FILE" ] && rm "$SMBV1FILE"
[ -f "$SMBSIGNFILE" ] && rm "$SMBSIGNFILE"

#audits the network for port 445 shares.
masscan -p445 10.0.0.0/8 --rate=10000 > "$IPFILE"

#clean up the file
sed -i 's/Discovered open port 445\/tcp on //g' "$IPFILE"

#maps all the smb files
smbmap --host-file "$IPFILE" -u "$USERNAME" -d "$DOMAIN" -p "$PASSWORD" --no-banner --no-update -g "$SMBFILE"
smbmap --host-file "$IPFILE" -u "$USERNAME" -d "$DOMAIN" -p "$PASSWORD" --no-banner --no-update --signing > "$SMBSIGNFILE"

#cleans up the results file
sed -i -E '/privs:NO_ACCESS|share:IPC\$, privs:READ_ONLY|share:print\$, privs:READ_ONLY|share:SYSVOL, privs:READ_ONLY|share:NETLOGON/d' "$SMBFILE"
sed -i -E '/signing required|Authenticating|Checking|Closing|Closed|error/d' "$SMBSIGNFILE"

#scans for SMBv1
nxc smb "$IPFILE" > "$SMBV1FILE"
sed -i '/SMBv1:True/!d' "$SMBV1FILE"

# Remove any empty files
[ ! -s "$SMBFILE" ] && rm -f "$SMBFILE"
[ ! -s "$SMBSIGNFILE" ] && rm -f "$SMBSIGNFILE"
[ ! -s "$SMBV1FILE" ] && rm -f "$SMBV1FILE"

# Send email only if at least one file exists and is not empty
if [ -f "$SMBFILE" ] || [ -f "$SMBSIGNFILE" ] || [ -f "$SMBV1FILE" ]; then
    sendemail -f KaliReporting@Hay-Ellis.co.uk \
              -u "SMB Audit Report - ${TODAY}" \
              -m "Attached is a report of all SMB shares that need addressing." \
              -s relay.Hay-Ellis.co.uk:25 \
              -t Ashley@Hay-Ellis.o.uk \
              -o tls=no \
              -a $([ -f "$SMBFILE" ] && echo "$SMBFILE") \
                 $([ -f "$SMBSIGNFILE" ] && echo "$SMBSIGNFILE") \
                 $([ -f "$SMBV1FILE" ] && echo "$SMBV1FILE")
fi

#remove this once troubleshooting is finished.
[ -f "$IPFILE" ] && rm "$IPFILE"
[ -f "$SMBFILE" ] && mv "$SMBFILE" "${ROOTDIR}/archive/$(basename "$SMBFILE")"
[ -f "$SMBSIGNFILE" ] && mv "$SMBSIGNFILE" "${ROOTDIR}/archive/$(basename "$SMBSIGNFILE")"
[ -f "$SMBV1FILE" ] && mv "$SMBV1FILE" "${ROOTDIR}/archive/$(basename "$SMBV1FILE")"

What the Script Does (At a Glance)

This script performs the following:

  1. Sets variables and today’s date for output files.
  2. Loads credentials from a secure file.
  3. Scans the network for devices exposing SMB (port 445).
  4. Audits those devices for:
    • Open SMB shares
    • SMB signing status
    • SMBv1 usage (bad!)
  5. Filters out noise and default system shares.
  6. Emails a report of anything that needs attention.
  7. Archives the reports and cleans up temporary files

Step 3: Create Your Credential File

Store your SMB credentials in a separate file:

sudo nano /opt/scripts/01-audit-smb/.smb-creds

USERNAME=Kali.SMB
PASSWORD=What-Ever-Password-You-Set!
DOMAIN=Hay-Ellis.local

Lock it down:

chmod 600 /opt/scripts/01-audit-smb/.smb-creds
chown root:root /opt/scripts/01-audit-smb/.smb-creds

Step 4: Test It

sudo bash /opt/scripts/01-audit-smb/audit-smbsigning.sh

You should receive an email (if anything was found) and see the results archived.

Step 5: Schedule It with Cron

To automate the scan weekly during working hours (when machines are online):

sudo crontab -e

Add this line:

30 13 * * 1 /opt/scripts/01-audit-smb/audit-smbsigning.sh >> /opt/scripts/01-audit-smb/logs/audit-smbsigning-cron.log 2>&1

This will run the scan every Monday at 1:30 PM and log the output to a file.

🧾 Summary

This process has helped me clean up legacy file shares in multiple orgs — without the usual headaches.
It’s not flashy. It’s not complicated. But it works.
If you’re spending hours trawling through old admin shares, try this.
Life’s too short for \\temp-share-from-2013

Leave a Reply

Your email address will not be published. Required fields are marked *