SMB Brute Force Metasploit Guide: Practical Pentesting Tips
Performing an SMB brute force with Metasploit is primarily achieved using the auxiliary/scanner/smb/smb_login module. This powerful scanner allows you to test massive lists of credentials against the Server Message Block (SMB) service, typically running on port 445, to identify weak passwords or default accounts. By configuring the RHOSTS, USER_FILE, and PASS_FILE options within the Metasploit Framework, you can systematically attempt to gain unauthorized access to Windows shares and administrative interfaces.
During a penetration test or a red team engagement, SMB is often the "holy grail" of initial access. Because Windows environments rely so heavily on SMB for file sharing, printer access, and remote management, a single set of valid credentials can lead to full domain compromise. If you're currently mastering OSCP exam preparation, you know that finding a way into an SMB share is frequently the first step toward privilege escalation.
The Mechanics of SMB Brute Force in Metasploit
SMB (Server Message Block) is a network file-sharing protocol that allows applications on a computer to read and write to files and request services from server programs in a computer network. In modern Windows environments, SMB runs directly over TCP port 445. Older versions might use NetBIOS over UDP ports 137, 138, and TCP port 139.
When we talk about an SMB brute force Metasploit attack, we aren't usually trying to "crack" a hash offline. Instead, we are performing an "online" attack. We send a username and a password guess to the target server; the server then tells us "Yes, that's right" or "No, access denied." The smb_login module automates this process, handling the complex handshakes and NTLM authentication steps for us.
Key Takeaway: SMB brute forcing is an active, noisy technique. While highly effective in labs and internal environments with poor security policies, it is easily detected by modern EDR (Endpoint Detection and Response) and SIEM solutions due to the high volume of failed login events (Event ID 4625).
Why SMB is a Primary Target
I've seen many environments where the perimeter is hardened, but the internal network is a "creamy center" of weak passwords. SMB is particularly vulnerable because:
- Broad Surface Area: Almost every Windows machine has SMB enabled.
- Credential Re-use: Users often use the same password for their local accounts and domain accounts.
- Administrative Shares: Gaining access to
C$orADMIN$shares usually results in immediateSYSTEMlevel access via PsExec-style attacks.
Setting Up Your Environment for SMB Exploitation
Before you fire up msfconsole, you need to know who you're attacking. Blindly brute forcing every IP on a subnet is a quick way to get banned or crash a legacy service. Start with a targeted scan. You can use Nmap or the built-in Metasploit discovery modules.
Within Metasploit, the auxiliary/scanner/smb/smb_version module is your best friend. It identifies the exact version of the SMB protocol and, often, the operating system version. This helps you determine if you're dealing with an old Windows 7 box or a modern Windows Server 2022 instance with SMB signing required.
If you're looking for a more visual way to manage your targets and exploits, you might consider using Armitage Kali Linux, which provides a graphical interface for these Metasploit modules, making it easier to track which hosts have been scanned and which credentials have worked.
Essential Wordlists for Brute Forcing
The success of your SMB brute force Metasploit run depends entirely on your wordlists. If you're using a 10GB file for a 5-minute pentest, you're doing it wrong. I recommend a tiered approach:
- Common Defaults: admin, administrator, guest, root.
- Context-Specific: Company name, season (Summer2023!), or local sports teams.
- The Classics: Use a pruned version of the
rockyou.txtlist or the Seclists "Top 1000" passwords.
Step-by-Step: Using the smb_login Module
Let's walk through the actual configuration of the module. Open your terminal and start Metasploit with msfconsole. Search for the module and select it.
msf6 > use auxiliary/scanner/smb/smb_login msf6 auxiliary(scanner/smb/smb_login) > show options
You will see a variety of options. Here is a breakdown of the most critical ones you need to set:
| Option | Description | Practical Tip |
|---|---|---|
| RHOSTS | The target IP address or range. | Use CIDR notation (e.g., 192.168.1.0/24) for subnet scanning. |
| USER_FILE | Path to your list of usernames. | Keep this small to avoid account lockouts. |
| PASS_FILE | Path to your list of passwords. | Use rockyou.txt for broad attempts. |
| SMBDomain | The target Windows Domain. | Leave as '.' for local accounts or set to 'WORKGROUP'. |
| STOP_ON_SUCCESS | Boolean (true/false). | Always set to true to avoid unnecessary noise once you're in. |
To run the attack, set your parameters and execute:
set RHOSTS 10.10.10.50 set USER_FILE /usr/share/wordlists/metasploit/namelist.txt set PASS_FILE /usr/share/wordlists/rockyou.txt set THREADS 10 run
If the module finds a valid set of credentials, it will print a success message in green. It will also automatically add these credentials to the Metasploit database, which you can view later using the creds command.
Advanced Tactics: Avoiding Account Lockouts
One of the biggest mistakes I see junior pentesters make is triggering a massive account lockout across a domain. If you try 500 passwords against the "Administrator" account and the domain has a lockout policy of 5 attempts, you've just locked out the most important account in the network. That's a great way to get kicked off a client site.
To avoid this, we use Password Spraying instead of traditional brute forcing. In a password spray, you take one very common password (like "Password123!") and try it against every username you've discovered. Then you wait for the lockout timer to reset (usually 30-60 minutes) and try the next password.
Metasploit SMB Spraying Strategy
To perform a spray using the smb_login module, set the PASSWORD variable (singular) and a USER_FILE. This ensures you only try one password per user.
set PASSWORD Spring2024! set USER_FILE /root/discovered_users.txt set BLANK_PASSWORDS false set USER_AS_PASS false run
By using this method, you stay under the radar of most basic lockout policies while still checking if any user has been lazy with their password choice.
Handling Errors and Protocol Issues
Sometimes your SMB brute force Metasploit attempts will fail even if you think the credentials are correct. This is often due to SMB signing or version mismatches. Modern Windows systems require SMB signing by default on Domain Controllers. If the client requires signing and Metasploit isn't configured to handle it, the login will fail.
You might also see the error STATUS_ACCESS_DENIED (0xc0000022). This doesn't always mean the password was wrong; it could mean the account doesn't have permission to access the specific share or IPC$ pipe you are targeting. Always verify with a tool like smbclient or crackmapexec if you suspect the module is giving false negatives.
If you manage to get a hit but find the account is restricted, you might need to move into post-exploitation. For example, if you find a way to execute code, you'll want to have a Meterpreter commands cheatsheet handy to quickly navigate the file system and dump further credentials.
Post-Exploitation: What Happens After the Hit?
Finding a valid SMB password is just the beginning. Your goal is usually to gain a shell. If the credentials you found belong to a member of the "Remote Management Users" or "Administrators" group, you can use the exploit/windows/smb/psexec module to get a Meterpreter session.
Once you have a session, the next step is often to pull more credentials from memory. This is where tools like Mimikatz come in. You can learn more about this in our guide on how to Mimikatz dump password hashes and cleartext strings. This allows you to pivot from a local user to a Domain Admin by "passing the hash" or finding a domain admin's session on the machine you just compromised.
Key Takeaway: SMB brute force is the "key" to the door; post-exploitation is what you do once you're inside the house. Always have a plan for lateral movement before you start your brute force.
For more advanced scenarios, check out our deep dive into Metasploit post exploitation techniques to ensure you maintain access even if the user changes their password or the machine reboots.
Comparing Brute Force Tools: Metasploit vs. The World
While Metasploit is fantastic, it isn't always the best tool for every job. Many professionals use a combination of tools depending on the environment. Here is how Metasploit stacks up against other popular SMB tools:
| Tool | Strength | Weakness |
|---|---|---|
| Metasploit (smb_login) | Excellent integration with the MSF database and post-ex modules. | Can be slower than dedicated scanners; high memory overhead. |
| CrackMapExec / NetExec | Extremely fast, built for "spraying" entire networks, excellent reporting. | Requires Python environment; not integrated into MSF by default. |
| Hydra | Supports dozens of protocols, very fast for single-target brute force. | Poor SMB protocol handling compared to specialized tools. |
| Medusa | Modular and lightweight. | Less frequent updates for modern Windows SMB nuances. |
In my experience, I use Metasploit when I want to keep everything in one workspace, especially if I'm preparing for a certification like the OSCP. However, for large-scale corporate audits, NetExec (the successor to CrackMapExec) is often my go-to for speed.
Defending Against SMB Brute Force Attacks
If you are on the blue team side, defending against SMB brute force Metasploit attacks is a matter of basic security hygiene. You don't need "cutting-edge" AI to stop these; you just need solid policies.
- Account Lockout Policies: Implement a policy that locks accounts after 5-10 failed attempts within a 30-minute window.
- Strong Password Policy: Require at least 14 characters with complexity. This makes wordlist-based attacks statistically unlikely to succeed.
- SMB Signing: Force SMB signing via Group Policy (GPO). This prevents "man-in-the-middle" relay attacks which are often used alongside brute forcing.
- Disable SMBv1: There is no reason to run SMBv1 in a modern network. It is insecure and vulnerable to many exploits beyond just brute force.
- MFA: Use Multi-Factor Authentication for all remote access, including VPNs that might grant access to the internal SMB network.
Monitoring is also vital. Look for high volumes of Event ID 4625 (An account failed to log on) originating from a single IP address. This is a "smoking gun" for a brute force attempt.
Frequently Asked Questions
Why is my SMB brute force Metasploit run so slow?
The speed is usually limited by the THREADS setting and the target's response time. Increasing threads can speed it up, but it also increases the chance of crashing the service or being detected by security software. Also, ensure you are using the native TCP/445 port rather than older NetBIOS ports.
Can I brute force SMB if SMB signing is required?
Yes, you can still brute force. SMB signing prevents relay attacks (where you intercept a hash and "relay" it to another machine), but it does not prevent a direct login attempt with a guessed username and password. The smb_login module handles signed connections automatically.
How do I brute force a specific Windows domain?
Set the SMBDomain option in the module. If you don't know the domain, you can often find it by running the auxiliary/scanner/smb/smb_version module first. If the target is not on a domain, use WORKGROUP or a single dot (.) for local authentication.
What is the difference between smb_login and smb_enumusers?
The smb_enumusers module is used for reconnaissance; it tries to list the users on a system without needing a password (if null sessions are allowed). The smb_login module is used for the actual attack where you test passwords against those discovered usernames.
For more information on the SMB protocol, you can refer to the official Microsoft SMB documentation or check out the MITRE ATT&CK page on Brute Force: Password Spraying for a broader view of how these attacks fit into the threat landscape.