Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB

Information

SMB is the main Windows file sharing and remote administration protocol. In Active Directory, it exposes shares, named pipes, remote management surfaces, authentication behavior, administrative shares, SYSVOL, NETLOGON, and many lateral movement paths.

We use SMB for six practical jobs: discovering hosts and shares, validating credentials, finding files, moving data, coercing authentication from file triggers, and executing commands when the credential has administrative rights. SMB also matters defensively because signing, NTLM behavior, administrative shares, outbound SMB, and event logs decide whether relay and lateral movement paths are available.

Tools used in this section include: NetExec, Impacket, smbmap, Snaffler, PowerHuntShares, enum4linux-ng, Responder, and ntlmrelayx.

SMB surfaces

445/tcp       Direct SMB over TCP
139/tcp       NetBIOS session service for older SMB paths
IPC$          Named pipe access and RPC over SMB
ADMIN$        Windows directory administrative share
C$            System drive administrative share
SYSVOL        Domain policy and scripts on domain controllers
NETLOGON      Domain logon scripts on domain controllers
User shares   Department, project, home, IT, finance, backups

Playbook

  • First check reachability and signing.
  • Then test anonymous, guest, and known credentials carefully.
  • Then enumerate shares and permissions.
  • Then hunt files before executing anything.
  • Then check whether writable shares can become file-triggered coercion points.
  • Then choose the least noisy execution path that fits the goal.