smb-pentesting
Best for Penetration testers assessi…Works with GitHubHigh risk
⌘source
- author
@wgpsec- language
- Python
★1.2kstars
199forks
Apr 22, 2026
✦overview.md
Key Features
- ·Methodology for SMB/CIFS service penetration testing (ports 139/445)
- ·Covers service discovery, version identification, and share enumeration
- ·Includes user/group enumeration and credential attack techniques
- ·Guides through known vulnerability exploitation (e.g., EternalBlue)
- ·Provides a decision tree for systematic testing phases
- ·References detailed command guides for tools like enum4linux and crackmapexec
Use Cases
- →Scanning and enumerating Windows domain information when SMB ports are open
- →Testing SMB share permissions and access controls
- →Performing lateral movement within a network using SMB protocols
- →Conducting credential attacks like password spraying or pass-the-hash against SMB services
Best for
- ✓Penetration testers assessing Windows network security
- ✓Red team operators performing lateral movement
- ✓Security researchers analyzing SMB vulnerabilities
Not ideal for
- !General network administration or troubleshooting
- !Non-Windows environments
- !One-off or automated security scans without manual analysis
FAQs
name
smb-pentesting
description
SMB/CIFS 服务(139/445 端口)渗透测试方法论。涵盖 NetBIOS/SMB 服务发现与版本识别、共享枚举与访问、用户和组枚举、凭据攻击(空会话/密码喷洒/哈希传递)、已知漏洞利用(EternalBlue 等)。
当 Agent 扫描发现 139 或 445 端口开放、需要枚举 Windows 域信息、测试 SMB 共享权限、或进行 SMB 相关横向移动时,触发此 Skill。
metadata:{"tags":["smb","cifs","netbios","文件共享","139端口","445端口","windows","enum4linux","smbclient","crackmapexec"],"category":"exploit/network-service"}
SMB/CIFS 渗透测试方法论 (139/445)
相关 skill: 凭据喷洒 ->
cred-spray; NTLM 中继 ->ntlm-relay-attack; AD 域攻击 ->ad-domain-attack; 横向移动 ->lateral-movement
深入参考
- 枚举命令大全(enum4linux / smbclient / crackmapexec / rpcclient) -> 读 references/smb-enumeration-commands.md
- 漏洞利用与中继攻击(EternalBlue / PrintNightmare / CVE 清单 / Relay) -> 读 references/smb-exploitation.md
整体决策树
发现 139/445 端口开放
├─ Phase 1: 服务发现与版本识别
│ ├─ 确定 SMB 版本 (SMBv1 / v2 / v3)
│ ├─ 确定操作系统版本
│ └─ 判断是否域环境
│ ├─ 是 -> 记录域名,进入 Phase 3 深度枚举
│ └─ 否 -> 工作组环境,侧重共享枚举
├─ Phase 2: 共享枚举
│ ├─ 空会话 (null session) 测试
│ │ ├─ 成功 -> 列举所有共享,检查 IPC$/SYSVOL/NETLOGON
│ │ └─ 失败 -> 尝试 guest 账户 -> 尝试已知凭据
│ ├─ 可读共享 -> 下载敏感文件 (Registry.xml / web.config / 脚本)
│ └─ 可写共享 -> 标记用于后续利用 (SCF/LNK 投毒、Logon Script 注入)
├─ Phase 3: 用户与组枚举
│ ├─ RPC 枚举 (rpcclient / enum4linux)
│ ├─ RID 爆破 (lookupsid.py / crackmapexec --rid-brute)
│ └─ LDAP 查询 (ldapsearch, 仅域环境)
├─ Phase 4: 凭据攻击
│ ├─ 密码喷洒 (crackmapexec / hydra)
│ ├─ Pass-the-Hash (smbclient / psexec.py / wmiexec.py)
│ └─ NTLM Relay (Responder + ntlmrelayx)
├─ Phase 5: 漏洞利用
$install
1-click copynpx skills add wgpsec/AboutSecurity --skill smb-pentestingSafety assessment
★
Clarity score
How clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.
5/ 5
excellentVery clear and well structured, with almost no room for misunderstanding.
◎
Actionability score
How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.
5/ 5
very highHighly actionable with clear, concrete steps that an agent can follow directly.