Smbexec 2.0 released - Pentest Geek

Smbexec 2.0 released

Author: smilingraccoon Posted In Penetration Testing Tutorials On: 2013/10/23 Comments: 11

We released smbexec version 2.0 a few days ago and it comes with some rather large differences from previous versions. For one thing it was completely rewritten in Ruby, for another it now supports multi-threading.

While it still maintains all of the functionality of previous versions (remotely dumping hashes from systems or domain controllers, identifying where domain administrators credentials are in use, throwing around obfuscated meterpreters, etc) , I wanted to highlight some of the larger changes and new features in this release.

For those that don’t know what smbexec is or haven’t used it before there was a great derbycon presentation  at the 2013 conference found here by Martin Bos (purehate) and Eric Milam (brav0hax). The quick description is that smbexec is a tool that focuses on using native windows functions/features for post exploitation and expanding access on a network after you gain some credentials, whether that be a hash or password for a local or domain account. It allows a pentester to quickly identify targets of interest and gain access to them across large networks without much need to worry about AV and UAC. You can grab the code at the pentestgeek github repo.

Ruby and Multi-threading

With the switch to Ruby from shell there are a bunch of added benefits. The biggest one is multi-threading, which makes a significant difference when pen testing a larger network. Last engagement a few of us were at we were running smbexec with 30 threads and dumped the local SAM, cached, and in memory credentials from about 750 servers in a matter of minutes. In addition to the speed gains there is also a significant increase in logging, when any module runs a debug file is created containing information about the module as well as showing a time stamped line with command issued along with the result. We were also able to remove some of the dependencies previous versions required, added more robust error handling, and designed it in a way that makes adding additional modules/features in the future much much easier.

Here is an example of what version 2.0 looks like using the hashdump module:


Finding Juicy Files and Running Arbitrary Powershell

And with the other changes we also have added two more modules. The first, a module used for finding files, has been extremely useful to me so far on penetration tests. By default it looks for unattend files which, if present, usually have privileged credentials contained within but you can look for anything you want. In addition for looking for other things like passwords.xls (Which I have seen way too many times) I personally look for something like *financ*.xls* to look for data that would be considered critical to the business. It can make showing the impact of a vulnerability a lot easier if you have access to nothing but a bunch of workstations for instance. The results of this module can get VERY large, in the thousands per machine even,  if you decide to look for something vague like *.xls or *.doc so the results are saved into text files within the log directory so you can use some command line fu to parse the data to look for what you want.

File Finder Module:


The other module can deliver and run arbitrary powershell against the targets. To do this you only need to drop whatever is your favorite non-interactive powershell script into the powershell folder and it will be available for use. Currently there is only one very simple powershell script but we plan on expanding on this in the future. The results of the powershell script will be saved into text files within the log directory as well.

Powershell Module:


Config and option parser

To make things easier on the user we implemented both a configuration file (smbexec.yml) as well as command line options that should cover most use cases for smbexec. You can give it credentials, an ip range (nmap style supported, or nmap xml file itself), or the number of threads you want to use before starting smbexec and it will remember them for all modules.

These are the command line options:


The configuration file has more granular control over how the tool works, for instance you can set it to use screen sessions over xterm windows or to not use nmap and use a simple TCP full connect port scanner. You also can change the paths to dependencies, by default the configuration file is for a Kali image.

And here is what the smbexec.yml configuration file looks like:



1) git clone

2) Run the script, select your operating system, and supply any required information

3) Run the script and compile the binaries

4) Type smbexec and cause mass havoc

Wrap up

Now that we have built the framework out in Ruby we should have more updates/features coming up faster and we are already scoping out what we want to do for version 2.1. If you have any issues or feature requests please toss them onto the github page.

Share this article

  • Is there a reason why smbexec 2.0 doesn’t work when using against a Windows 7 client that’s all patched and uptodate.

    the password is correct, the windows firewall is off. I used medusa, rpcclient to verify the password and it’s correct, but smbexec fails

  • NerishiQaMaster 2014/06/12 at 4:52 PM


    After writing the above, I decided to run the v2 install again.

    This time: ta-da! Perfect service resumed.
    And straight away I see the performance benefits of multi-threading.

    Once again, excellent work.

    Feel free to keep my last post’s praise and ditch the query – unless you think it’s worthwhile using it to direct n00bs like me to the “issues” on github.

    I’m still growing, keep feeding,


  • NerishiQaMaster 2014/06/12 at 3:19 PM


    +1 from me for an excellent tool – classic stylee: it does just what it needs to.

    My v2 install seemed to complete OK, and binary build, but at runtime would generate an error indicating missing gems, and to run bumdle install.

    Help! Meaning not quite unambiguous enough! :) Will raise in proper manner, just wanted to give an example.

    To your knowledge, has anyone put together a list of common problems installing v2 on Kali? My issue is different than others I’ve read, but I suspect many of us are making simple mistakes if history is any guide on the general subject :)

    I hope you keep the amazing effort up, guys,


  • hi, I setup a vmware with win7 ultimate. put avast av on it made all the updates and tried with known admin user and password.

    it didn’t work……

    i read something about psexec now using -h for elevated tokens.

    my question: is this option missing, becaus if you add something to the registry (i think to fool around with uac) it seems to work just fine.

    btw: I would like to read about how to get all windows native options either with psexec or smbexc.

    thx nomoi

  • Hi thanks for your answer.

    I tried ot reinstall but I got the following error…

    [ 125/3774] Compiling lib/replace/getpass.c
    Waf: Leaving directory `/tmp/smbexec-inst/samba/bin’
    Build failed: -> task failed (err #-1):
    {task: cc getpass.c -> getpass_2.o}
    Checking for library smb_static : not found
    Build of static winexe : disabled
    Cannot continue! Please install required files for shared winexe or provide samba source path for static winexe(–samba-dir option).
    (complete log in /tmp/smbexec-inst/winexe/source/build/config.log)
    cp: impossible d’évaluer « /tmp/smbexec-inst/winexe/source/build/winexe-static »: Aucun fichier ou dossier de ce type [!] smbwinexe didn’t install properly. Make sure you have prereqs installed…

    smbexec installer
    A rapid psexec style attack with samba tools

  • Hi

    great thanks for your perfect tool I used frequently :)
    I just managed to upgrade from V1 to v2 which seems really nice, however, it doesn’t work properly on my KALI . Most of the attempts (for exemple to fetch the hash) are failing with the message “xxxxxx Unhandled error: invalid byte sequence in utf-8” , hith xxxxx = target IP-

    Any idea to solve this… otherwize I’ll have to downgrade back to V1 :(

    • Hey calcavecchia, thanks for the feedback. I’ve opened an issue at if you wouldn’t mind adding some additional information I can look into it. After running a module it creates a debug file in the smbexec/log/timestamped_folder/debug/, for hashdump it would be called HashesWorkstation_timestamp. I would love to see the stack trace included in it, it should be a line with the text ERROR then Backtrace. Make sure to cleanse any information first as it may contain the credentials you were using it with.

      EDIT: I’ve identified the problem and fixed it, try a git pull.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Share This

    Recent Posts

    Subscribe To Our Mailing List

    The Ultimate Burp Suite Training Program

    Learn Network Penetration Testing

    Penetration Testing



    Web Application Hacking

    Copyright 2024


    Are You Using the Top 5 Pentest Tools?

    Enter your email address to download your copy of our FREE e-book and find out now!

    Thank you, now go check your email!!