impacket-smbserver

View documentation for the original command

$ tldr smbserver.py

impacket-smbserver <share_name> <share_path> [options]

<share_name>
    The arbitrary name to assign to the SMB share that will be advertised to clients (e.g., 'SHARE', 'C$').

<share_path>
    The local path to the directory that the SMB server will share. This directory's contents will be accessible (or appear to be accessible) to connecting clients.

-debug
    Enables verbose debug output, useful for troubleshooting connection issues or understanding server behavior.

-smb2support
    Enables SMB2 protocol support. It is highly recommended to use this option for compatibility with modern Windows clients, which primarily use SMB2/3.

-username <username>
    Specifies a username for authenticated access to the share. If omitted, anonymous access is typically allowed or prompted depending on the client.

-password <password>
    Specifies the password for the provided -username. Used in conjunction with -username for creating an authenticated share.

-hashes <LM:NT>
    Provides LM and NT hashes (e.g., '0:f34ad...'). This is an alternative to -password, allowing authentication using pre-computed hashes.

-target-ip <ip_address>
    Specifies the IP address of the interface on which the server should listen. By default, it listens on all available interfaces (0.0.0.0).

-ipv6
    Configures the server to listen for incoming connections over IPv6 instead of IPv4.

-no-smb-config
    Prevents the server from loading a default or existing smb.conf file, ensuring a clean, minimal server setup.

-no-netlogon
    Disables the NETLOGON share. This share is typically used by domain controllers for user authentication, and disabling it can reduce network noise if not needed.

-no-nbt
    Disables NetBIOS over TCP/IP (NetBT) services. This means the server will only listen on port 445 (SMB direct) and not on NetBIOS ports like 137/138/139.

-port <port_number>
    Specifies the TCP port number on which the SMB server will listen. The default SMB port is 445. Using a different port may require client configuration.

-q
    Enables quiet mode, suppressing most output to the console, useful for backgrounding or scripting.

The impacket-smbserver command, part of the powerful Impacket toolkit, creates a minimalistic yet functional SMB (Server Message Block) server. Its primary purpose is to serve files over SMB/CIFS, but it's most renowned for its ability to capture NTLMv1/v2 authentication hashes from connecting clients. This makes it an invaluable tool for penetration testers and red teamers to simulate malicious servers, conduct credential harvesting, or facilitate file transfers in environments where SMB is prevalent. It supports both anonymous and authenticated access, and can be configured to listen on specific interfaces and ports, providing flexibility for various network scenarios.

Root Privileges: To bind to the default SMB port (445), impacket-smbserver typically requires root or elevated privileges.
Security Implications: This tool is frequently used for credential harvesting and can be misused. Ensure you have proper authorization for its use.
Firewall Rules: Ensure that your system's firewall allows inbound connections on the specified SMB port (default 445) for clients to connect.
Antivirus/EDR Detection: Due to its common use in penetration testing, many security solutions might flag impacket-smbserver as a malicious tool.

NTLM Hash Capture: Set up a share and wait for clients to connect (e.g., from network scanners, misconfigured applications, or phishing attempts) to capture NTLMv1/v2 authentication hashes which can then be cracked offline.
File Transfer: Serve or receive files in environments where HTTP/FTP might be blocked, but SMB is open. This is useful for transferring payloads or exfiltrating data.
Anonymous File Sharing: Create quick, anonymous shares for testing or temporary file access without needing full-fledged SMB server configuration.
SMB Relay Attacks: While impacket-smbserver itself doesn't perform the relay, it's often used in conjunction with tools like ntlmrelayx.py (also from Impacket) as the target server for relayed authentication attempts.

By default, impacket-smbserver attempts to handle anonymous authentication. If a client attempts to authenticate, it captures the NTLM hash. You can specify a username and password (or hashes) to allow specific authenticated access. If a client provides valid credentials that match what's configured, access is granted; otherwise, the hashes are captured, and the connection might be closed or denied based on client behavior.

Impacket is a collection of Python classes for working with network protocols, primarily developed by Alberto Solino (corelabs.org, now Fortra's Core Security). It focuses on providing programmatic access to network packets and various Windows protocols (like SMB, MSRPC, DCE/RPC, Kerberos). The smbserver.py module (accessible via impacket-smbserver) emerged as a critical component, enabling penetration testers and researchers to interact with SMB in a controlled manner, filling a significant gap in open-source tooling for Windows network protocol exploitation and analysis. Its development reflects the continuous need for robust tools to assess and exploit vulnerabilities in Windows environments.

responder.py, smbclient(1), netcat(1), impacket-secretsdump, impacket-psexec