test_smb_service
Test SMB/NetBIOS services for vulnerabilities by scanning target systems to identify security weaknesses in network shares and authentication protocols.
Instructions
Comprehensive SMB/NetBIOS service testing
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| target | Yes | Target IP address | |
| port | No | SMB port (default: 445) |
Implementation Reference
- src/tools/service-specific.ts:212-378 (handler)The primary handler function that performs comprehensive SMB/NetBIOS service testing. Supports cross-platform (Windows/Linux/Mac) using appropriate tools: net view/nbtstat (Win), enum4linux/smbclient (Unix), CrackMapExec, nmap for EternalBlue (MS17-010), PowerShell SMB tests or rpcclient null sessions. Collects findings and recommendations.
async testSMB(target: string, port: number = 445): Promise<ScanResult> { try { console.error(`🔍 Testing SMB service on ${target}:${port}`); const findings: string[] = []; const results: any = {}; // Test 1: SMB enumeration (platform-specific) if (isWindows) { // Windows: Use built-in commands try { const { stdout: netViewOutput } = await execAsync(`net view \\\\${target}`, { timeout: 60000 }); results.net_view = netViewOutput; if (netViewOutput.includes('Shared resources')) { findings.push('SMB shares enumerated successfully via net view'); } } catch (e) { console.error('net view failed:', e); } // Windows: NBTStat for NetBIOS enumeration try { const { stdout: nbtstatOutput } = await execAsync(`nbtstat -A ${target}`, { timeout: 30000 }); results.nbtstat = nbtstatOutput; if (nbtstatOutput.includes('<20>')) { findings.push('NetBIOS file sharing service detected'); } if (nbtstatOutput.includes('<00>')) { findings.push('NetBIOS workstation service detected'); } } catch (e) { console.error('nbtstat failed:', e); } } else { // Linux/Mac: Use traditional tools try { const { stdout: enum4linuxOutput } = await execAsync(`enum4linux -a ${target}`, { timeout: 120000 }); results.enum4linux = enum4linuxOutput; if (enum4linuxOutput.includes('Domain Name:')) { findings.push('Domain information disclosed'); } if (enum4linuxOutput.includes('password policy')) { findings.push('Password policy information disclosed'); } } catch (e) { console.error('enum4linux failed:', e); } try { const { stdout: smbclientOutput } = await execAsync(`smbclient -L ${target} -N`, { timeout: 60000 }); results.smbclient_shares = smbclientOutput; if (smbclientOutput.includes('Sharename')) { findings.push('SMB shares enumerated successfully'); } if (smbclientOutput.includes('IPC$')) { findings.push('IPC$ share accessible'); } } catch (e) { console.error('smbclient enumeration failed:', e); } } // Test 2: CrackMapExec (works on all platforms if installed) try { const cmeCommand = isWindows ? 'python -m crackmapexec' : 'crackmapexec'; const { stdout: cmeOutput } = await execAsync(`${cmeCommand} smb ${target}`, { timeout: 60000 }); results.crackmapexec = cmeOutput; if (cmeOutput.includes('SMBv1:True')) { findings.push('SMBv1 enabled (security risk)'); } if (cmeOutput.includes('signing:False')) { findings.push('SMB signing disabled (security risk)'); } } catch (e) { console.error('CrackMapExec failed:', e); } // Test 3: Check for EternalBlue vulnerability (nmap works on all platforms) try { const { stdout: nmapOutput } = await execAsync(`nmap -p ${port} --script smb-vuln-ms17-010 ${target}`, { timeout: 120000 }); results.eternalblue_check = nmapOutput; if (nmapOutput.includes('VULNERABLE')) { findings.push('CRITICAL: EternalBlue vulnerability detected (CVE-2017-0144)'); } } catch (e) { console.error('EternalBlue check failed:', e); } // Test 4: PowerShell SMB testing (Windows only) if (isWindows) { try { const psScript = ` $target = "${target}" try { $result = Test-NetConnection -ComputerName $target -Port ${port} if ($result.TcpTestSucceeded) { Write-Output "SMB port ${port} is accessible" # Try to enumerate shares $shares = Get-SmbShare -CimSession $target -ErrorAction SilentlyContinue if ($shares) { Write-Output "Available shares:" $shares | ForEach-Object { Write-Output " - $($_.Name)" } } } } catch { Write-Output "Error: $($_.Exception.Message)" } `; const { stdout: psOutput } = await execAsync(`powershell -Command "${psScript}"`, { timeout: 60000 }); results.powershell_smb = psOutput; if (psOutput.includes('is accessible')) { findings.push('SMB service confirmed accessible via PowerShell'); } if (psOutput.includes('Available shares:')) { findings.push('SMB shares enumerated via PowerShell'); } } catch (e) { console.error('PowerShell SMB test failed:', e); } } else { // Test 5: SMB null session test (Linux/Mac) try { const { stdout: nullSessionOutput } = await execAsync(`rpcclient -U "" -N ${target} -c "enumdomusers"`, { timeout: 60000 }); results.null_session = nullSessionOutput; if (nullSessionOutput.includes('user:')) { findings.push('SMB null session allows user enumeration'); } } catch (e) { console.error('Null session test failed:', e); } } return { target, timestamp: new Date().toISOString(), tool: 'smb_comprehensive_test', results: { service: 'SMB', port, findings, detailed_results: results, recommendations: this.getSMBRecommendations(findings) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'smb_comprehensive_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } - src/index.ts:396-402 (schema)Input schema definition for the tool, specifying 'target' (required string) and optional 'port' (number, default 445).
inputSchema: { type: "object", properties: { target: { type: "string", description: "Target IP address" }, port: { type: "number", description: "SMB port (default: 445)" } }, required: ["target"] - src/index.ts:393-581 (registration)Tool registration in the ListTools response, including name, description, and schema.
{ name: "test_smb_service", description: "Comprehensive SMB/NetBIOS service testing", inputSchema: { type: "object", properties: { target: { type: "string", description: "Target IP address" }, port: { type: "number", description: "SMB port (default: 445)" } }, required: ["target"] } }, { name: "burp_start", description: "Start Burp Suite Professional with API enabled", inputSchema: { type: "object", properties: { jar_path: { type: "string", description: "Path to burpsuite_pro.jar (optional, auto-detected)" }, project_file: { type: "string", description: "Burp project file path (optional)" }, headless: { type: "boolean", description: "Run in headless mode (default: true)" }, memory: { type: "string", description: "Java memory allocation (default: 2g)" } }, required: [] } }, { name: "burp_stop", description: "Stop Burp Suite instance", inputSchema: { type: "object", properties: {}, required: [] } }, { name: "burp_active_scan", description: "Perform active vulnerability scan using Burp Suite", inputSchema: { type: "object", properties: { target: { type: "string", description: "Target URL to scan" }, scope: { type: "array", items: { type: "string" }, description: "Additional URLs to include in scope (optional)" } }, required: ["target"] } }, { name: "burp_proxy_scan", description: "Perform passive scan through Burp Suite proxy", inputSchema: { type: "object", properties: { target: { type: "string", description: "Target URL to proxy through" }, duration: { type: "number", description: "Scan duration in seconds (default: 300)" } }, required: ["target"] } }, { name: "burp_spider", description: "Spider/crawl target using Burp Suite", inputSchema: { type: "object", properties: { target: { type: "string", description: "Target URL to spider" } }, required: ["target"] } }, { name: "burp_export", description: "Export Burp Suite scan results", inputSchema: { type: "object", properties: { format: { type: "string", enum: ["xml", "html", "json"], description: "Export format (default: xml)" }, output_path: { type: "string", description: "Output file path (optional)" } }, required: [] } } ]; return { tools }; }); // Handle tool calls this.server.setRequestHandler(CallToolRequestSchema, async (request) => { try { const { name } = request.params; const args = (request.params.arguments ?? {}) as any; const respond = (data: unknown) => ({ content: [ { type: 'text', text: typeof data === 'string' ? data : JSON.stringify(data) } ] }); switch (name) { // Reconnaissance tools case "nmap_scan": return respond(await this.reconTools.nmapScan(args.target, args.scan_type || "quick")); case "subdomain_enum": return respond(await this.reconTools.subdomainEnum(args.domain, args.wordlist, args.use_subfinder, args.fuzz_tool)); case "tech_detection": return respond(await this.reconTools.techDetection(args.url)); case "directory_bruteforce": return respond(await this.reconTools.directoryBruteforce(args.url, args.wordlist, args.extensions, args.use_seclists)); // Vulnerability scanning case "nuclei_scan": return respond(await this.vulnScanTools.nucleiScan(args.target, args.templates, args.severity)); case "nikto_scan": return respond(await this.vulnScanTools.niktoScan(args.url, args.port)); case "sqlmap_scan": return respond(await this.vulnScanTools.sqlmapScan(args.url, args.data, args.cookie)); // Exploitation case "metasploit_search": return respond(await this.exploitTools.metasploitSearch(args.service, args.platform)); case "exploit_attempt": return respond(await this.exploitTools.exploitAttempt(args.target, args.vulnerability, args.payload)); // Workflow case "auto_pentest": return respond(await this.workflowEngine.autoPentest(args.target, args.scope || "full", args.intensity || "active")); case "suggest_next_steps": return respond(await this.workflowEngine.suggestNextSteps(args.scan_results)); // Reporting case "generate_report": return respond(await this.reportTools.generateReport(args.target, args.format || "html")); // Advanced Tools case "cve_discovery": return respond(await this.cveDiscovery.discoverCVEs(args.technologies)); case "parameter_extraction": return respond(await this.parameterExtraction.extractParameters(args.target, args.depth || 2)); case "fuzzing_parameters": return respond(await this.fuzzingEngine.fuzzParameters(args.parameters, { tool: args.tool || 'ffuf' })); case "fuzzing_directories": return respond(await this.fuzzingEngine.fuzzDirectories(args.target, { tool: args.tool || 'ffuf', extensions: args.extensions })); case "directory_scan": return respond(await this.directoryScanner.scanDirectories(args.target, { tool: args.tool || 'dirsearch', recursive: args.recursive })); case "adaptive_strategy": return respond(await this.adaptiveStrategy.generateStrategy( args.ports, args.technologies, args.existing_vulns )); case "test_active_directory": return respond(await this.serviceSpecificTools.testActiveDirectory(args.target, args.domain)); case "test_web_application": return respond(await this.serviceSpecificTools.testWebApplication(args.target, args.technologies)); case "test_smb_service": return respond(await this.serviceSpecificTools.testSMB(args.target, args.port || 445)); - src/index.ts:580-581 (registration)Tool handler registration in the CallToolRequest switch statement, delegating to ServiceSpecificTools.testSMB method.
case "test_smb_service": return respond(await this.serviceSpecificTools.testSMB(args.target, args.port || 445)); - Helper function that generates security recommendations based on SMB test findings, such as disabling SMBv1, enabling signing, patching EternalBlue.
private getSMBRecommendations(findings: string[]): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('SMBv1'))) { recommendations.push('Disable SMBv1 protocol'); } if (findings.some(f => f.includes('signing:False'))) { recommendations.push('Enable SMB signing'); } if (findings.some(f => f.includes('EternalBlue'))) { recommendations.push('Apply MS17-010 security patch immediately'); } if (findings.some(f => f.includes('null session'))) { recommendations.push('Disable SMB null sessions'); } recommendations.push('Implement strong authentication'); recommendations.push('Use SMBv3 with encryption'); return recommendations; }