MCP Pentest

test_smb_service

Test SMB/NetBIOS services for vulnerabilities by scanning target systems to identify security weaknesses in network shares and authentication protocols.

Instructions

Comprehensive SMB/NetBIOS service testing

Input Schema

TableJSON Schema

Name	Required	Description	Default
`target`	Yes	Target IP address
`port`	No	SMB port (default: 445)

Implementation Reference

src/tools/service-specific.ts:212-378 (handler)

The primary handler function that performs comprehensive SMB/NetBIOS service testing. Supports cross-platform (Windows/Linux/Mac) using appropriate tools: net view/nbtstat (Win), enum4linux/smbclient (Unix), CrackMapExec, nmap for EternalBlue (MS17-010), PowerShell SMB tests or rpcclient null sessions. Collects findings and recommendations.

async testSMB(target: string, port: number = 445): Promise<ScanResult> {
  try {
    console.error(`🔍 Testing SMB service on ${target}:${port}`);
    
    const findings: string[] = [];
    const results: any = {};
    
    // Test 1: SMB enumeration (platform-specific)
    if (isWindows) {
      // Windows: Use built-in commands
      try {
        const { stdout: netViewOutput } = await execAsync(`net view \\\\${target}`, { timeout: 60000 });
        results.net_view = netViewOutput;
        
        if (netViewOutput.includes('Shared resources')) {
          findings.push('SMB shares enumerated successfully via net view');
        }
      } catch (e) {
        console.error('net view failed:', e);
      }
      
      // Windows: NBTStat for NetBIOS enumeration
      try {
        const { stdout: nbtstatOutput } = await execAsync(`nbtstat -A ${target}`, { timeout: 30000 });
        results.nbtstat = nbtstatOutput;
        
        if (nbtstatOutput.includes('<20>')) {
          findings.push('NetBIOS file sharing service detected');
        }
        if (nbtstatOutput.includes('<00>')) {
          findings.push('NetBIOS workstation service detected');
        }
      } catch (e) {
        console.error('nbtstat failed:', e);
      }
    } else {
      // Linux/Mac: Use traditional tools
      try {
        const { stdout: enum4linuxOutput } = await execAsync(`enum4linux -a ${target}`, { timeout: 120000 });
        results.enum4linux = enum4linuxOutput;
        
        if (enum4linuxOutput.includes('Domain Name:')) {
          findings.push('Domain information disclosed');
        }
        if (enum4linuxOutput.includes('password policy')) {
          findings.push('Password policy information disclosed');
        }
      } catch (e) {
        console.error('enum4linux failed:', e);
      }
      
      try {
        const { stdout: smbclientOutput } = await execAsync(`smbclient -L ${target} -N`, { timeout: 60000 });
        results.smbclient_shares = smbclientOutput;
        
        if (smbclientOutput.includes('Sharename')) {
          findings.push('SMB shares enumerated successfully');
        }
        if (smbclientOutput.includes('IPC$')) {
          findings.push('IPC$ share accessible');
        }
      } catch (e) {
        console.error('smbclient enumeration failed:', e);
      }
    }
    
    // Test 2: CrackMapExec (works on all platforms if installed)
    try {
      const cmeCommand = isWindows ? 'python -m crackmapexec' : 'crackmapexec';
      const { stdout: cmeOutput } = await execAsync(`${cmeCommand} smb ${target}`, { timeout: 60000 });
      results.crackmapexec = cmeOutput;
      
      if (cmeOutput.includes('SMBv1:True')) {
        findings.push('SMBv1 enabled (security risk)');
      }
      if (cmeOutput.includes('signing:False')) {
        findings.push('SMB signing disabled (security risk)');
      }
    } catch (e) {
      console.error('CrackMapExec failed:', e);
    }
    
    // Test 3: Check for EternalBlue vulnerability (nmap works on all platforms)
    try {
      const { stdout: nmapOutput } = await execAsync(`nmap -p ${port} --script smb-vuln-ms17-010 ${target}`, { timeout: 120000 });
      results.eternalblue_check = nmapOutput;
      
      if (nmapOutput.includes('VULNERABLE')) {
        findings.push('CRITICAL: EternalBlue vulnerability detected (CVE-2017-0144)');
      }
    } catch (e) {
      console.error('EternalBlue check failed:', e);
    }
    
    // Test 4: PowerShell SMB testing (Windows only)
    if (isWindows) {
      try {
        const psScript = `
          $target = "${target}"
          try {
            $result = Test-NetConnection -ComputerName $target -Port ${port}
            if ($result.TcpTestSucceeded) {
              Write-Output "SMB port ${port} is accessible"
              
              # Try to enumerate shares
              $shares = Get-SmbShare -CimSession $target -ErrorAction SilentlyContinue
              if ($shares) {
                Write-Output "Available shares:"
                $shares | ForEach-Object { Write-Output "  - $($_.Name)" }
              }
            }
          } catch {
            Write-Output "Error: $($_.Exception.Message)"
          }
        `;
        
        const { stdout: psOutput } = await execAsync(`powershell -Command "${psScript}"`, { timeout: 60000 });
        results.powershell_smb = psOutput;
        
        if (psOutput.includes('is accessible')) {
          findings.push('SMB service confirmed accessible via PowerShell');
        }
        if (psOutput.includes('Available shares:')) {
          findings.push('SMB shares enumerated via PowerShell');
        }
      } catch (e) {
        console.error('PowerShell SMB test failed:', e);
      }
    } else {
      // Test 5: SMB null session test (Linux/Mac)
      try {
        const { stdout: nullSessionOutput } = await execAsync(`rpcclient -U "" -N ${target} -c "enumdomusers"`, { timeout: 60000 });
        results.null_session = nullSessionOutput;
        
        if (nullSessionOutput.includes('user:')) {
          findings.push('SMB null session allows user enumeration');
        }
      } catch (e) {
        console.error('Null session test failed:', e);
      }
    }
    
    return {
      target,
      timestamp: new Date().toISOString(),
      tool: 'smb_comprehensive_test',
      results: {
        service: 'SMB',
        port,
        findings,
        detailed_results: results,
        recommendations: this.getSMBRecommendations(findings)
      },
      status: 'success'
    };
    
  } catch (error) {
    return {
      target,
      timestamp: new Date().toISOString(),
      tool: 'smb_comprehensive_test',
      results: {},
      status: 'error',
      error: error instanceof Error ? error.message : String(error)
    };
  }
}

src/index.ts:396-402 (schema)

Input schema definition for the tool, specifying 'target' (required string) and optional 'port' (number, default 445).

inputSchema: {
  type: "object",
  properties: {
    target: { type: "string", description: "Target IP address" },
    port: { type: "number", description: "SMB port (default: 445)" }
  },
  required: ["target"]

src/index.ts:393-581 (registration)

Tool registration in the ListTools response, including name, description, and schema.

    {
      name: "test_smb_service",
      description: "Comprehensive SMB/NetBIOS service testing",
      inputSchema: {
        type: "object",
        properties: {
          target: { type: "string", description: "Target IP address" },
          port: { type: "number", description: "SMB port (default: 445)" }
        },
        required: ["target"]
      }
    },
    {
      name: "burp_start",
      description: "Start Burp Suite Professional with API enabled",
      inputSchema: {
        type: "object",
        properties: {
          jar_path: { type: "string", description: "Path to burpsuite_pro.jar (optional, auto-detected)" },
          project_file: { type: "string", description: "Burp project file path (optional)" },
          headless: { type: "boolean", description: "Run in headless mode (default: true)" },
          memory: { type: "string", description: "Java memory allocation (default: 2g)" }
        },
        required: []
      }
    },
    {
      name: "burp_stop",
      description: "Stop Burp Suite instance",
      inputSchema: {
        type: "object",
        properties: {},
        required: []
      }
    },
    {
      name: "burp_active_scan",
      description: "Perform active vulnerability scan using Burp Suite",
      inputSchema: {
        type: "object",
        properties: {
          target: { type: "string", description: "Target URL to scan" },
          scope: { 
            type: "array", 
            items: { type: "string" },
            description: "Additional URLs to include in scope (optional)" 
          }
        },
        required: ["target"]
      }
    },
    {
      name: "burp_proxy_scan",
      description: "Perform passive scan through Burp Suite proxy",
      inputSchema: {
        type: "object",
        properties: {
          target: { type: "string", description: "Target URL to proxy through" },
          duration: { type: "number", description: "Scan duration in seconds (default: 300)" }
        },
        required: ["target"]
      }
    },
    {
      name: "burp_spider",
      description: "Spider/crawl target using Burp Suite",
      inputSchema: {
        type: "object",
        properties: {
          target: { type: "string", description: "Target URL to spider" }
        },
        required: ["target"]
      }
    },
    {
      name: "burp_export",
      description: "Export Burp Suite scan results",
      inputSchema: {
        type: "object",
        properties: {
          format: { 
            type: "string", 
            enum: ["xml", "html", "json"],
            description: "Export format (default: xml)" 
          },
          output_path: { type: "string", description: "Output file path (optional)" }
        },
        required: []
      }
    }
  ];

  return { tools };
});

// Handle tool calls
this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
  try {
    const { name } = request.params;
    const args = (request.params.arguments ?? {}) as any;

    const respond = (data: unknown) => ({
      content: [
        {
          type: 'text',
          text: typeof data === 'string' ? data : JSON.stringify(data)
        }
      ]
    });

    switch (name) {
      // Reconnaissance tools
      case "nmap_scan":
        return respond(await this.reconTools.nmapScan(args.target, args.scan_type || "quick"));
      
      case "subdomain_enum":
        return respond(await this.reconTools.subdomainEnum(args.domain, args.wordlist, args.use_subfinder, args.fuzz_tool));
      
      case "tech_detection":
        return respond(await this.reconTools.techDetection(args.url));
      
      case "directory_bruteforce":
        return respond(await this.reconTools.directoryBruteforce(args.url, args.wordlist, args.extensions, args.use_seclists));

      // Vulnerability scanning
      case "nuclei_scan":
        return respond(await this.vulnScanTools.nucleiScan(args.target, args.templates, args.severity));
      
      case "nikto_scan":
        return respond(await this.vulnScanTools.niktoScan(args.url, args.port));
      
      case "sqlmap_scan":
        return respond(await this.vulnScanTools.sqlmapScan(args.url, args.data, args.cookie));

      // Exploitation
      case "metasploit_search":
        return respond(await this.exploitTools.metasploitSearch(args.service, args.platform));
      
      case "exploit_attempt":
        return respond(await this.exploitTools.exploitAttempt(args.target, args.vulnerability, args.payload));

      // Workflow
      case "auto_pentest":
        return respond(await this.workflowEngine.autoPentest(args.target, args.scope || "full", args.intensity || "active"));
      
      case "suggest_next_steps":
        return respond(await this.workflowEngine.suggestNextSteps(args.scan_results));

      // Reporting
      case "generate_report":
        return respond(await this.reportTools.generateReport(args.target, args.format || "html"));

      // Advanced Tools
      case "cve_discovery":
        return respond(await this.cveDiscovery.discoverCVEs(args.technologies));
      
      case "parameter_extraction":
        return respond(await this.parameterExtraction.extractParameters(args.target, args.depth || 2));
      
      case "fuzzing_parameters":
        return respond(await this.fuzzingEngine.fuzzParameters(args.parameters, { tool: args.tool || 'ffuf' }));
      
      case "fuzzing_directories":
        return respond(await this.fuzzingEngine.fuzzDirectories(args.target, { 
          tool: args.tool || 'ffuf',
          extensions: args.extensions 
        }));
      
      case "directory_scan":
        return respond(await this.directoryScanner.scanDirectories(args.target, { 
          tool: args.tool || 'dirsearch',
          recursive: args.recursive 
        }));
      
      case "adaptive_strategy":
        return respond(await this.adaptiveStrategy.generateStrategy(
          args.ports, 
          args.technologies, 
          args.existing_vulns
        ));

      case "test_active_directory":
        return respond(await this.serviceSpecificTools.testActiveDirectory(args.target, args.domain));

      case "test_web_application":
        return respond(await this.serviceSpecificTools.testWebApplication(args.target, args.technologies));

      case "test_smb_service":
        return respond(await this.serviceSpecificTools.testSMB(args.target, args.port || 445));

src/index.ts:580-581 (registration)
Tool handler registration in the CallToolRequest switch statement, delegating to ServiceSpecificTools.testSMB method.
```
case "test_smb_service":
  return respond(await this.serviceSpecificTools.testSMB(args.target, args.port || 445));
```

src/tools/service-specific.ts:755-775 (helper)

Helper function that generates security recommendations based on SMB test findings, such as disabling SMBv1, enabling signing, patching EternalBlue.

private getSMBRecommendations(findings: string[]): string[] {
  const recommendations: string[] = [];
  
  if (findings.some(f => f.includes('SMBv1'))) {
    recommendations.push('Disable SMBv1 protocol');
  }
  if (findings.some(f => f.includes('signing:False'))) {
    recommendations.push('Enable SMB signing');
  }
  if (findings.some(f => f.includes('EternalBlue'))) {
    recommendations.push('Apply MS17-010 security patch immediately');
  }
  if (findings.some(f => f.includes('null session'))) {
    recommendations.push('Disable SMB null sessions');
  }
  
  recommendations.push('Implement strong authentication');
  recommendations.push('Use SMBv3 with encryption');
  
  return recommendations;
}

Tool Definition Quality

C2.7/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden for behavioral disclosure. It vaguely implies testing but doesn't specify whether this is passive scanning, active exploitation, or diagnostic checks. Critical details like potential network impact, authentication requirements, output format, or error handling are missing, leaving the agent with insufficient information about how the tool behaves.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient phrase with zero wasted words. It's front-loaded with the core purpose ('Comprehensive SMB/NetBIOS service testing'), making it easy to parse quickly. Every word contributes directly to conveying the tool's function without redundancy or unnecessary elaboration.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of security testing tools and lack of annotations or output schema, the description is incomplete. It doesn't cover behavioral aspects (e.g., safety, side effects), usage context, or what results to expect. For a tool with potential network impact and no structured safety hints, more detail is needed to guide an agent effectively.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already documents both parameters (target IP and port with default). The description adds no additional meaning about parameters—it doesn't explain what 'comprehensive testing' involves for these inputs or any constraints beyond the schema. Baseline 3 is appropriate since the schema handles parameter documentation adequately.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose3/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description 'Comprehensive SMB/NetBIOS service testing' clearly states the tool's purpose (testing SMB/NetBIOS services) but lacks specificity about what 'testing' entails (e.g., vulnerability scanning, connectivity checks, configuration analysis). It distinguishes from siblings like 'test_active_directory' or 'test_web_application' by focusing on SMB/NetBIOS, but doesn't specify the verb or scope beyond 'comprehensive'.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. It doesn't mention prerequisites (e.g., network access, permissions), when it's appropriate (e.g., during reconnaissance vs. exploitation), or how it differs from related tools like 'nmap_scan' or 'test_active_directory' for SMB-related tasks. The lack of context leaves usage decisions ambiguous.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/adriyansyah-mf/mcp-pentest'

If you have feedback or need assistance with the MCP directory API, please join our Discord server