DigiBrandBox
Cybersecurity

SMB Pentesting with Metasploit to hack windows 7 Complete Tutorial 2025

khushank-digibrandbox-nkb31 Dec 20247 min read
SMB Pentesting with Metasploit to hack windows 7 Complete Tutorial 2025

<!-- wp:paragraph --> <p>Microsoft Windows, An operating system loved by more than 80% of computer users in the world. What if I tell you that you love highly vulnerable operating systems? Yes, you heard it right, Your favorite OS i.e. Microsoft windows is a highly vulnerable OS. In this article, we will try to explore and exploit one of the most common vulnerabilities of windows.</p> <!-- /wp:paragraph --> <!-- wp:quote {"className":"is-style-large"} --> <blockquote class="wp-block-quote is-style-large"> <p>Fun Fact: Fascinated with the term “hack”? Hacking means making things easy but in today`s digital world, people use this term in a wrong manner.</p> </blockquote> <!-- /wp:quote --> <!-- wp:heading --> <h2>Pre-Requisites</h2> <!-- /wp:heading --> <!-- wp:heading {"level":3} --> <h3>Metasploit</h3> <!-- /wp:heading --> <!-- wp:paragraph --> <p>A Framework tool that automates the tasks involved in hacking or I should say Penetration testing. Preinstalled in Kali Linux. Most information security professionals prefer writing their own scripts.</p> <!-- /wp:paragraph --> <!-- wp:heading {"level":3} --> <h3>Auxiliary</h3> <!-- /wp:heading --> <!-- wp:paragraph --> <p>The module in Metasploit framework used for enumeration, scanning, fuzzing etc.</p> <!-- /wp:paragraph --> <!-- wp:heading {"level":3} --> <h3>SMB</h3> <!-- /wp:heading --> <!-- wp:paragraph --> <p>Server Message Block, A protocol running on the application layer allows us to share files between two OS within the network. SMB uses a client-server architecture to share files or even printers. Also known as Common Internet File System. SMB uses ports 139 and 445. We will be using port 445 for our SMB Pentesting. It is an application layer protocol.</p> <!-- /wp:paragraph --> <!-- wp:heading {"level":3} --> <h3>RHOST &amp; RPORT</h3> <!-- /wp:heading --> <!-- wp:paragraph --> <p>The IP address &amp; port we choose to enter on the target machine.</p> <!-- /wp:paragraph --> <!-- wp:heading {"level":3} --> <h3>Phases of hacking</h3> <!-- /wp:heading --> <!-- wp:paragraph --> <p>Taking into consideration the approach to hack a particular machine we follow these steps:</p> <!-- /wp:paragraph --> <!-- wp:list {"ordered":true,"type":"1"} --> <ol type="1"> <li>Reconnaissance:</li> <li>Scan target</li> <li>Get Access</li> <li>Maintain access</li> <li> <p>Clear logs</p> </li> </ol> <p><!-- /wp:list --> <!-- wp:paragraph --></p> <p>So basically we as hackers or even pen tester try to not just exploit using payloads like many script-kiddie but enumerate the victim machine and gather as much info as possible.</p> <h2><strong>What are the common vulnerabilities in SMB?</strong></h2> <ol> <li><strong>SMB Exploits</strong>: <ul> <li>EternalBlue: The exploit used in WannaCry ransomware to propagate across networks.</li> <li>SMBGhost (CVE-2020-0796): SMBv3 vulnerability allowing remote code execution.</li> </ul> </li> <li><strong>Weak Authentication</strong>: <ul> <li>SMB servers with weak or no authentication mechanisms are vulnerable to brute-force attacks.</li> </ul> </li> <li><strong>Man-in-the-Middle Attacks</strong>: <ul> <li>Attackers can intercept unencrypted SMB traffic to steal credentials or manipulate data.</li> </ul> </li> </ol> <!-- /wp:paragraph --> <!-- wp:heading --> <h2>SMB Pentesting with Metasploit Port 445</h2> <!-- /wp:heading --> <!-- wp:list {"ordered":true,"type":"1"} --> <ol type="1"> <li>IP Address of my attacker machine: 192.168.187.131</li> <li>IP address of my victim machine: 192.168.187.130</li> <li>In our case we had both on same network locally and we knew the address but still we followed a method which shows how an attacker and get the IP Address of a victim machine using nmap</li> </ol> <!-- /wp:list --> <!-- wp:heading {"level":3} --> <h3>SMB Pentesting, Steps to hack windows 7 using SMB port 445 via Metasploit</h3> <!-- /wp:heading --> <!-- wp:list --> <ul> <li>Reconnaissance, yes, hacking always starts with information gathering. So let us use nmap to discover the IP Address and open ports of the victim machine.</li> </ul> <!-- /wp:list --> <!-- wp:image {"id":2547,"width":436,"height":444,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large is-resized"><img class="wp-image-2547" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/SMB-nmap-scan-network.webp" alt="smb pentesting, use nmap to scan network though subnet mask" width="436" height="444" /></figure> <!-- /wp:image --> <!-- wp:code --> <pre class="wp-block-code"><code>nmap 192.168.187.0/24</code></pre> <!-- /wp:code --> <!-- wp:list --> <ul> <li>Once we discover all devices connected with the network, IP Address, and the open ports, we found the following ports on the victim machine: Port 135, 139, 445, 3389,5800, and 5900.</li> </ul> <!-- /wp:list --> <!-- wp:image {"id":2549,"width":599,"height":444,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large is-resized"><img class="wp-image-2549" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/smb-nmap-ports.webp" alt="nmap scan ports" width="599" height="444" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>Lets try to know the services and their versions running on the remote machine we want to exploit.</li> </ul> <!-- /wp:list --> <!-- wp:code --> <pre class="wp-block-code"><code>nmap -sV 192.168.187.130</code></pre> <!-- /wp:code --> <!-- wp:list --> <ul> <li>The results after running the above command are as follows.</li> </ul> <!-- /wp:list --> <!-- wp:image {"id":2552,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2552" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/nmap-version-scanning-for-smb-windows-7.webp" alt="nmap scan version of smb" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>Since we got port 445 open and the OS as windows 7 -10, service and version. Let us try to enumerate with scripts available in nmap. This enables us to find if the machine is vulnerable to some attacks related to that particular service.</li> </ul> <!-- /wp:list --> <!-- wp:code --> <pre class="wp-block-code"><code>nmap 192.168.187.130 –script vuln -p445 //specifically for port 445</code></pre> <!-- /wp:code --> <!-- wp:paragraph --> <p>Although its up to you. If you want to scan all ports for vulnerabilities you can also use</p> <!-- /wp:paragraph --> <!-- wp:code --> <pre class="wp-block-code"><code>nmap 192.168.187.130 –script vuln</code></pre> <!-- /wp:code --> <!-- wp:list --> <ul> <li>And here we go, the output clearly shows that we must try smb-vuln-ms17-010</li> </ul> <!-- /wp:list --> <!-- wp:image {"id":2555,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2555" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/smb-pentesting-for-vulnerable-scripts-of-eternalblue.webp" alt="smb vuln script port 445" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>So, let us now go into Metasploit and use the tools to understand the attacker machine more clearly.</li> </ul> <!-- /wp:list --> <!-- wp:code --> <pre class="wp-block-code"><code>sudo msfconsole</code></pre> <!-- /wp:code --> <!-- wp:list --> <ul> <li>Till this stage, we have some information about the target including IP Address, ports, Vulnerable scripts. Let us now jump to the second step i.e. scan the network to enumerate more details.</li> <li>We use auxiliary for SMB Pentesting. These auxiliary contain scripts that help to scan and enumerate information about vulnerabilities in the target. Type</li> </ul> <!-- /wp:list --> <!-- wp:code --> <pre class="wp-block-code"><code>Search auxiliary/scanner/smb.</code></pre> <!-- /wp:code --> <!-- wp:image {"id":2558,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2558" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/smb-pentesting-with-metasploit.webp" alt="metasploit search auxiliary smb" /></figure> <!-- /wp:image --> <!-- wp:image {"id":2564,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2564" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/SMB-Pentesting-auxiliary-in-metasploit.webp" alt="auxiliaries in metasploit" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>We can easily get the idea of what an auxiliary is about. Let us first try to enumerate the version by using smb_version</li> </ul> <!-- /wp:list --> <!-- wp:code --> <pre class="wp-block-code"><code>use auxiliary/scanner/smb/smb_version options set rhost 192.168.187.130 exploit</code></pre> <!-- /wp:code --> <!-- wp:image {"id":2560,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2560" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/smb_version-auxiliary.webp" alt="smb_version auxiliary" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>Boom, we got the operating system, version and smb version with name</li> <li>Lets now go with another auxiliary i.e. smb_uninit_creds. It helps to check for uninitialized variable vulnerability. Use it with rhost and run exploit.</li> </ul> <!-- /wp:list --> <!-- wp:image {"id":2566,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2566" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/smb_uninit_cred-auxiliary.webp" alt="uninit_creds auxiliary testing" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>We found it safe. Lets try it with another auxiliary named ms17-010 (The one we got in nmap script)</li> <li>The host is vulnerable to this. Wow, we also got the version i.e. windows 7 Ultimate 7601 SP1 64bit</li> </ul> <!-- /wp:list --> <!-- wp:image {"id":2568,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2568" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/vulnerable-smb.webp" alt="auxiliary for ms17-010" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>We scanned multiple auxiliaries, you can go for more like lookupsid, login(to brute force the creds) etc.</li> <li>Time to get access and maintain it. Let us try to find the exploit and payload.</li> </ul> <!-- /wp:list --> <!-- wp:code --> <pre class="wp-block-code"><code>Search ms17-010</code></pre> <!-- /wp:code --> <!-- wp:image {"id":2569,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2569" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/eternalblue-exploit-in-metasploit.webp" alt="ms17-010 exploits" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>The output shows 4 exploits including one for windows 8 onwords. So we got 3. Lets choose the first one i.e. eternal blue.</li> <li>Going with the default payload check for options and set your RHOST.</li> </ul> <!-- /wp:list --> <!-- wp:image {"id":2570,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large"><img class="wp-image-2570" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/metasploit-payload-reverse-tcp.webp" alt="default payload reverse tcp" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>BOOOOOOOMMMMM!!!!!!!!! We got meterpreter.</li> </ul> <!-- /wp:list --> <!-- wp:image {"id":2571,"width":819,"height":431,"sizeSlug":"large","linkDestination":"none"} --> <figure class="wp-block-image size-large is-resized"><img class="wp-image-2571" src="https://www.computerservicesolutions.in/wp-content/uploads/2021/03/windows-7-hacked-shell-using-smb.webp" alt="windows 7 meterpreter shell through smb pentesting eternalblue" width="819" height="431" /></figure> <!-- /wp:image --> <!-- wp:list --> <ul> <li>Remember, we still require to maintain access for the future and clear all tracks and logs.</li> <li>To maintain the access, the backdoor needs to be deployed. It enables us to connect even after the victim machine restarts. Meterpreter allows us to use metsvc for the purpose.</li> <li>While to clear logs with Metasploit, just use a command</li> </ul> <!-- /wp:list --> <!-- wp:code --> <pre class="wp-block-code"><code>clearev</code></pre> <!-- /wp:code --> <!-- wp:paragraph --> <p>Congrats, you are now a pro hacker.</p> <!-- /wp:paragraph --> <!-- wp:quote {"className":"is-style-large"} --> <blockquote class="wp-block-quote is-style-large"> <p>Fun Fact: A hacker group named shadow brokers leaked this in 2017. NSA used eternalblue to spy on other countries and even Microsoft was unaware of this for around 5 years</p> </blockquote> <!-- /wp:quote --> <!-- wp:paragraph --> <p>Knowing how to hack windows 7 using SMB vulnerability looks cool. Wait, don`t you feel, preventing the SMB attack is much more cool. Yes, its Indian scriptures say A savior is always greater than attacker</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <h4>Here is how you can secure your windows from being hacked via SMB</h4> <!-- /wp:paragraph --> <!-- wp:paragraph --> <ul> <li>Simple, update your operating systems to the latest version as Microsoft patched the vulnerability. Also keep all your software, utilities and applications updated. </li> <li>Disable Unused SMB Ports (445, 139).</li> <li>Regularly Monitor SMB Logs for Anomalies.</li> <li>Use Tools like Wireshark to Analyze SMB Traffic.</li> <li>Ensure Endpoint Detection and Response (EDR) Systems Are in Place.</li> </ul> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>Learn about <a href="https://www.computerservicesolutions.in/index.php/facebook-hacking-tutorial-with-kali-linux-and-preventive-measures/">facebook hacking</a></p> <!-- /wp:paragraph -->

D
khushank-digibrandbox-nkb
DigiBrandBox editorial · Field notes from the war rooms.
Let's compound your growth

Ready for a growth system that actually compounds?

Book a 30-minute strategy call. We'll audit your funnel live and walk you through what a custom Search+, Performance+, Brand+, Creator+, Content+ and Distribution+ system would look like for your brand.

Free Growth Audit · ₹0

Get a personalised Growth Audit of your brand.

We'll teardown your funnel across Search, AI, paid and creator — and email back a 12-page scorecard with prioritised opportunities for your stage. Used by founders inside Apollo, Lenskart, Mamaearth and Razorpay.

  • Search + AI visibility benchmark vs. your top 3 competitors
  • Paid media (Meta, Google, LinkedIn) leakage map
  • Reputation + creator ecosystem health score
  • 90-day prioritised growth roadmap (with effort vs. impact)
↳ Delivered in 24 hours·No sales pitch·4.9★ G2 Avg.
Tell us where to send it →

We respect your inbox. Zero spam, ever.

Book Call