Gaining initial access through an open SMB port is a common and effective technique in penetration testing. This article demonstrates how to identify and exploit SMB services using a range of popular tools, each suited for different scenarios, from quick brute-force attempts to large-scale automated attacks.

MITRE ATT&CK Techniques:

T1110.001 – Brute Force: Password Guessing

T1046 – Network Service Scanning

T1078 – Valid Accounts

Table of Contents

Introduction

Enumeration

• Scan for Open SMB Port with Nmap

Brute-Force Techniques

• Nmap
• Metasploit
• Netexec
• Patator
• Brutespray

Introduction

SMB (Server Message Block) is a protocol used for sharing files, printers, and other resources on a network. It operates on port 445 and allows users to access shared resources on remote servers. However, by default, it transmits data—including credentials—in plaintext, making it vulnerable to eavesdropping and attacks like brute force. For secure transfers, alternatives like SMB3 or encrypted SMB are recommended. Despite its age, SMB is still commonly found in legacy systems and networks.

Enumeration

Nmap Scan

MITRE Technique: T1046

Firstly, to start the enumeration process, we perform a simple Nmap scan on the target IP address to check for an open SMB port and identify the service version:

nmap -p 445 -sV 192.168.1.53

Explanation:

• -p 445: Scans for SMB service on port 445.
• -sV: Enables version detection to gather more information about the running SMB service.

Then, once Nmap identifies that port 445 is open and an SMB service is active, we can proceed to the next phase: brute force attacks to test for weak or default credentials.

Defensive Strategy:

Deploy network intrusion detection/prevention systems (NIDS/NIPS) such as Snort or Zeek to detect excessive port scans or fingerprinting behavior. Flag unexpected SMB usage inside internal VLANs.

Brute-Force Techniques

Tools Quick Reference

Metasploit

Metasploit includes auxiliary modules that can perform brute force attacks on various services—including SMB. In this case, we can effectively automate login attempts to find weak or default credentials on target systems by utilizing our dictionaries, user.txt and pass.txt.

Step To Reproduce

On Kali terminal type msfconsole then run following commands:

msf6 > use auxiliary/scanner/smb/smb_login
set rhosts 192.168.1.53
set user_file user.txt
set pass_file pass.txt
set verbose false
run

Explanation:

• use auxiliary/scanner/smb/smb_login: Selects the Metasploit module designed for brute forcing FTP login credentials.
• set rhosts target ip: Specifies the target machine’s IP address for the scan.
• set user_file user.txt: Defines a file containing potential usernames to try during the brute force attack.
• set pass_file pass.txt: Defines a file containing potential passwords to pair with each username.
• set verbose false: Disables verbose output, reducing on-screen clutter during the attack but if you are interested in knowledge failed attempt or all tried combination then you can reset as true.

Defensive Control:

Enable account lockouts and monitor for failed authentication events (Event ID 4625 in Windows, auth.log in Linux).

Netexec

NetExec, commonly used via its command alias nxc, is a powerful post-exploitation and lateral movement framework built as a successor to the well-known CrackMapExec project. It supports a wide array of network protocols—including SMB, FTP, RDP, WINRM, SSH and more—making it a versatile tool for both offensive security assessments and red team operations.

Among its many capabilities, NetExec can perform brute force attacks on SMB services using specified username and password lists. Its clean, efficient syntax and structured output make it ideal for quickly identifying weak or default credentials during targeted password audits.

Step To Reproduce

To initiate a brute force attack against an SMB service using NetExec, run the following command:

nxc smb 192.168.1.53 -u user.txt -p pass.txt | grep [+]

Explanation:

• smb: Specifies the protocol to target.
• 192.168.1.53: The IP address of the target host.
• -u user.txt: Path to the file containing a list of usernames.
• -p pass.txt: Path to the file containing a list of passwords.

Security Control:

Segment internal assets. Use jump hosts and enforce MFA to prevent lateral movement even after brute force success.

Patator

Patator is a versatile, multi-threaded brute forcing tool capable of attacking a wide range of protocols including SMB, SSH, HTTP, and more. It’s modular, highly customizable, and known for its stability and clear, structured output.

Its flexible syntax allows you to easily specify input files for both usernames and passwords, and it provides organized feedback on successful or failed login attempts.

Step To Reproduce

Patator can be used to perform SMB brute force attacks by iterating through supplied username and password lists which in this case will be user.txt and pass.txt.

patator smb_login host=192.168.1.53 user=FILE0 0=user.txt password=FILE1 1=pass.txt

Explanation:

• patator: Launches the Patator brute force tool.
• smb_login: Specifies the module for brute forcing SMB credentials.
• host=192.168.1.53: Indicates the target machine’s IP address.
• user=FILE0 0=user.txt: Assigns FILE0 as a placeholder for usernames, pulling values from user.txt.
• password=FILE1 1=pass.txt: Assigns FILE1 as a placeholder for passwords, pulling values from pass.txt.

Note: You can add | grep ‘200 OK’ or -x ignore:code=530 for success filtering or to skip known failed responses based on Patator’s output codes.

Defensive Suggestion:

Limit connections by IP and impose filtering on SMB sessions.

Brutespray

BruteSpray is a powerful post-scan automation tool designed to perform credential brute force attacks using the results of an Nmap scan. Furthermore, it supports a variety of common protocols—including SMB, SSH, FTP, and more—making it a versatile solution for mass login attempts across multiple hosts and services.

BruteSpray integrates seamlessly with Nmap’s output formats (grepable or XML), therefore allowing you to quickly move from service discovery to targeted brute-force attacks.

Step 1: Scan for SMB Services with Nmap

Firstly, run an Nmap scan to identify open SMB ports and save the output in grepable format:

nmap -p 445 192.168.1.53 -oG smb_scan.txt

Explanation:

• -p 445: Scans for SMB service on port 445.
• -oG smb_scan.txt: Outputs the results in grepable format, which BruteSpray can parse.

Step 2: Brute-Force SMB Logins with BruteSpray

Then, once the scan is complete, use BruteSpray to attempt logins against the identified SMB services using a username and password list:

brutespray -f smb_scan.txt -u user.txt -p pass.txt

Explanation:

• -f smb_scan.txt: Specifies the Nmap output file to use.
• -u user.txt: Path to the list of usernames.
• -p pass.txt: Path to the list of passwords.

Response Plan:

IPs doing automated scans across several targets should be alerted and blocked; for instance, take Tarpitting as an example of dynamic deceit. For instance, tarpitting is a defensive technique where a system intentionally slows down responses to suspected malicious activity—typically brute force or scanning attempts—in order to hinder and frustrate attackers.

SMB Brute-Force – Offense, Defense & MITRE Mapping

Defense-in-Depth Summary

To learn more about Password Cracking. Follow this Link.

Author: Anmol Dev is a Technical Writer, Researcher and Penetration Tester. Contact here: Linkedin and Twitter.