Attack SMB Services with Hydra

Introduction

In this lab, you will learn how to attack SMB (Server Message Block) services using Hydra, a powerful password cracking tool. This lab focuses on demonstrating how to identify and exploit weak credentials on an SMB server.

You will begin by setting up a local SMB server using Samba, including installing the necessary packages, configuring the smb.conf file to create a shared directory, and setting appropriate permissions. Then, you will prepare user and password lists to be used in the Hydra attack. Finally, you will run the Hydra SMB attack and check the results to see if any credentials were successfully cracked.

Set Up a Local SMB Server

In this step, you will set up a local SMB (Server Message Block) server using Samba. SMB is a network file sharing protocol that allows applications on a computer to access files and resources on a remote server. Samba is a free software re-implementation of the SMB networking protocol. This will provide a target for your Hydra SMB attack in later steps.

First, let's install Samba. Open your terminal in the ~/project directory.

sudo apt update
sudo apt install samba -y

This command updates the package lists and then installs the Samba package. The -y flag automatically answers "yes" to any prompts during the installation.

Next, you need to configure Samba. You'll start by backing up the original configuration file.

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

Now, let's create a new, clean configuration file by directly overwriting the existing one. This approach ensures no conflicts with the default Ubuntu Samba settings.

Copy the following command and run it in the terminal. Make sure the command is copied correctly.

sudo tee /etc/samba/smb.conf > /dev/null << 'EOF'
[global]
   workgroup = WORKGROUP
   server string = Samba Server
   netbios name = fileserver
   security = user
   map to guest = never
   ## Disable anonymous access
   restrict anonymous = 2
   ## Explicitly enable SMBv1 and NTLMv1 for Hydra
   server min protocol = NT1
   client min protocol = NT1
   ntlm auth = ntlmv1-permitted
   ## Bind to localhost
   interfaces = 127.0.0.1
   bind interfaces only = yes
   ## Logging
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   debug level = 3

[share]
   path = /home/labex/project/share
   browsable = yes
   writable = yes
   guest ok = no
   read only = no
   valid users = labex
EOF

This command will completely replace the contents of /etc/samba/smb.conf with our clean configuration.

Important configuration points:

• map to guest = never - Prevents anonymous guest access
• restrict anonymous = 2 - Completely disables anonymous access
• server min protocol = NT1 and client min protocol = NT1 - Enables SMBv1 for Hydra compatibility
• ntlm auth = ntlmv1-permitted - Allows NTLMv1 authentication for testing
• interfaces = 127.0.0.1 and bind interfaces only = yes - Restricts access to localhost only
• guest ok = no - Disables guest access to the share
• valid users = labex - Restricts access to specific user only

Why we overwrite the entire file:

• Avoids conflicts with Ubuntu's default Samba settings
• Ensures a clean, minimal configuration optimized for Hydra testing
• Eliminates potential issues with duplicate or conflicting directives
• Provides a consistent starting point for all users

This configuration ensures that Hydra will be able to properly detect authentication attempts without interference from anonymous access.

Now, let's create the shared directory.

mkdir ~/project/share
sudo chmod 777 ~/project/share

This creates a directory named share in your ~/project directory and sets its permissions to 777, which means everyone has read, write, and execute permissions. Note: In a real-world scenario, you would want to use more restrictive permissions. For simplicity in this lab environment, we are using 777.

Next, you need to add a Samba user. This user will be used to authenticate to the SMB server. You'll use the labex user that already exists on the system. First, set a Samba password for the labex user.

sudo smbpasswd -a labex

You will be prompted to enter a new password for the labex user. Enter password and confirm it.

New SMB password:
Retype new SMB password:
Added user labex.

Finally, restart the Samba service to apply the changes.

sudo /etc/init.d/smbd restart
sudo /etc/init.d/nmbd restart

You should see output similar to this:

 * Stopping SMB/CIFS daemon smbd                                        [ OK ]
 * Starting SMB/CIFS daemon smbd                                        [ OK ]
 * Stopping NetBIOS name server nmbd                                    [ OK ]
 * Starting NetBIOS name server nmbd                                    [ OK ]

This command will check your Samba configuration for syntax errors and show the active configuration. You should see output confirming your settings without any errors.

Now, your local SMB server is set up with proper security settings. You have created a shared directory named share and added the labex user with a Samba password. The configuration is optimized to work correctly with Hydra attacks.

Prepare User and Password Lists

In this step, you will create the user and password lists that Hydra will use to perform the SMB attack. These lists will contain potential usernames and passwords that Hydra will try to use to authenticate to the SMB server.

First, let's create the user list. You'll use nano to create a file named users.txt in the ~/project directory.

nano ~/project/users.txt

In this file, add the following usernames, one per line:

labex
admin
guest
user
test
root

Press Ctrl+X, then Y, then Enter to save the file.

Now, let's create the password list. You'll use nano to create a file named passwords.txt in the ~/project directory.

nano ~/project/passwords.txt

In this file, add the following passwords, one per line:

password
123456
labex
admin
guest

Press Ctrl+X, then Y, then Enter to save the file.

These are simple lists for demonstration purposes. In a real-world scenario, you would use much larger and more complex lists.

Now you have created two files: users.txt containing a list of usernames, and passwords.txt containing a list of passwords. Hydra will use these lists in the next step to attempt to crack the SMB server password.

Run Hydra SMB Attack

In this step, you will use Hydra to perform a brute-force attack against the SMB server you set up in the first step. Hydra is a parallelized login cracker which supports numerous protocols to attack.

Open your terminal in the ~/project directory.

Now, let's run the Hydra command to attack the SMB service.

hydra -L ~/project/users.txt -P ~/project/passwords.txt 127.0.0.1 smb

Let's break down this command:

• hydra: This is the command to run the Hydra tool.
• -L ~/project/users.txt: This specifies the path to the user list file.
• -P ~/project/passwords.txt: This specifies the path to the password list file.
• 127.0.0.1: This is the IP address of the target SMB server (localhost in this case).
• smb: This specifies the service to attack (SMB).

Hydra will now start attempting to log in to the SMB server using the usernames and passwords from the lists you provided. It will try every combination of username and password until it finds a valid one or exhausts all possibilities.

With the properly configured SMB server from Step 1, you should see successful credential discovery:

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-30 10:52:16
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 30 login tries (l:6/p:5), ~30 tries per task
[DATA] attacking smb://127.0.0.1:445/
[445][smb] host: 127.0.0.1   login: labex   password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-30 10:52:17

Understanding the Output:

• The line [445][smb] host: 127.0.0.1 login: labex password: password shows that Hydra successfully found valid credentials
• Username: labex
• Password: password
• The summary shows "1 valid password found", confirming the successful attack

Important Note: This attack is being performed on a local SMB server for educational purposes. We have specifically configured the server to demonstrate how Hydra works. In production environments, SMBv1 should be disabled for security reasons. Performing unauthorized attacks on remote systems is illegal and unethical.

The command might take some time to complete, depending on the size of your user and password lists. Observe the output to see when Hydra successfully cracks the password.

Check SMB Attack Results

In this step, you will analyze the output of the Hydra SMB attack to confirm the successful credential discovery and verify the cracked credentials by connecting to the SMB share.

After running the Hydra command (and potentially applying the troubleshooting steps) in the previous step, you should see successful output similar to this:

[445][smb] host: 127.0.0.1   login: labex   password: password
1 of 1 target successfully completed, 1 valid password found

This line indicates that Hydra successfully cracked the SMB credentials:

• Username: labex
• Password: password

Verifying the Cracked Credentials: To confirm that the cracked credentials are valid, you can use the smbclient command to connect to the SMB share. First, install it if it's not already installed:

sudo apt update
sudo apt install smbclient -y

You should see output similar to this:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libsmbclient
The following NEW packages will be installed:
  libsmbclient smbclient
0 upgraded, 2 newly installed, 0 to remove and 252 not upgraded.
...
Setting up smbclient (2:4.15.13+dfsg-0ubuntu1.6) ...

Now, use the cracked credentials to connect to the SMB share:

smbclient //127.0.0.1/share -U labex%password

Let's break down this command:

• smbclient: The command-line utility to access SMB/CIFS resources on servers.
• //127.0.0.1/share: The path to the SMB share. 127.0.0.1 is the IP address of your local SMB server, and share is the name of the shared directory.
• -U labex%password: Specifies the username (labex) and password (password) that Hydra cracked. The username and password are separated by a % sign.

If the connection is successful, you will be presented with an smb:\> prompt, indicating that you have successfully connected to the SMB share using the cracked credentials:

Try "help" to get a list of possible commands.
smb: \>

You can then type exit and press Enter to leave the smbclient prompt:

exit

This successful connection confirms that:

1. Hydra successfully cracked the SMB credentials
2. The username and password combination is valid
3. The attack was effective against the configured SMB server
4. The cracked credentials provide access to the shared directory

Security Implications: This successful attack demonstrates the importance of:

• Using strong, complex passwords
• Implementing account lockout policies
• Monitoring for brute-force attacks
• Disabling unnecessary services and protocols
• Regular security audits and penetration testing

Summary

In this lab, you have learned how to attack SMB services using Hydra, a powerful password cracking tool. You started by setting up a local SMB server using Samba, which involved installing the necessary packages, configuring the smb.conf file to create a shared directory with SMBv1 and NTLMv1 support for Hydra compatibility, and setting appropriate permissions.

You then prepared user and password lists (users.txt with 6 usernames and passwords.txt with 5 passwords) to be used in the Hydra attack. With the properly configured SMB server from Step 1, the Hydra SMB attack successfully cracked the SMB credentials by finding the valid combination of username labex and password password.

You confirmed the success of the attack by using smbclient to connect to the SMB share with the discovered credentials, demonstrating that the cracked credentials provided legitimate access to the shared directory.

This lab effectively demonstrated:

1. Hydra's Capabilities: How Hydra can systematically test username and password combinations against SMB services
2. Proper Configuration: The importance of correctly configuring the target service for security testing
3. Brute-Force Attack Methodology: The process of preparing wordlists and executing automated attacks
4. Attack Verification: The importance of confirming successful credential discovery
5. Security Configuration: How proper SMB configuration prevents anonymous access while allowing legitimate authentication testing

Key Security Lessons:

• Weak passwords are vulnerable to brute-force attacks
• Proper service configuration is crucial for both security and testing
• Disabling anonymous access ensures clear authentication results
• Automated tools like Hydra can quickly test many credential combinations
• Regular security testing helps identify vulnerabilities before attackers do

Important Note: This attack was performed on a local SMB server configured specifically for educational purposes. In production environments, SMBv1 should be disabled, strong password policies should be enforced, and monitoring should be in place to detect brute-force attacks. Performing unauthorized attacks on remote systems is illegal and unethical.