SMB
SMBServer Message BlockCIFS
SMB (Server Message Block) is a file sharing protocol used primarily by Windows. EternalBlue (MS17-010), SMB signing misconfigurations, and null sessions are key attack vectors.
Ports
| Port | Protocol | Description |
|---|---|---|
| 445 | tcp | SMB over TCP |
| 139 | tcp | NetBIOS session |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
C:\Windows\NTDS\ntds.dit | AD database with all password hashes |
C:\Windows\System32\config\SAM | Local SAM password hashes |
C:\Windows\System32\config\SYSTEM | System hive (boot key for hash decryption) |
C:\Windows\System32\config\SECURITY | Security policy and cached domain credentials |
%USERPROFILE%\AppData\Roaming\Microsoft\Credentials\ | Saved Windows credentials |
Default Credentials
| Username | Password | Context |
|---|---|---|
admin | admin | Generic admin account |
root | root | Generic root account |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
CVE-2017-0144 | RCE | EternalBlue — SMBv1 remote code execution |
CVE-2020-0796 | RCE | SMBGhost — SMBv3 compression RCE |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Null Session | smbmap -H <target> | List shares and users |
| SMB Signing Disabled | nmap --script smb-security-mode -p445 <target> | Relay NTLM auth |
| EternalBlue | msfconsole -q -x "use exploit/windows/smb/ms17_010_eternalblue" | RCE as SYSTEM |
Notes
SMB signing being disabled is the most common misconfiguration — always check with `nmap --script smb-security-mode`.
If SMBv1 is enabled, EternalBlue (MS17-010) is almost certainly exploitable.
Tools: `smbclient`, `smbmap`, `crackmapexec`/`netexec`, `impacket-smbexec`, `impacket-psexec`.
Seen on
ShodanCensysFOFAZoomEye
References