Skip to content

feat(smbtakeover): add smbtakeover.py module#1153

Open
sttlr wants to merge 1 commit intoPennyw0rth:mainfrom
sttlr:feat-add-smbtakeover-module
Open

feat(smbtakeover): add smbtakeover.py module#1153
sttlr wants to merge 1 commit intoPennyw0rth:mainfrom
sttlr:feat-add-smbtakeover-module

Conversation

@sttlr
Copy link

@sttlr sttlr commented Mar 14, 2026

Description

Added smbtakeover.py module to unbind/rebind SMB port 445/tcp. Useful when conducting NTLM relay attacks.

Usually Windows hosts already use port 445/tcp for SMB. And to conduct an NTLM relay attack you'd need port 445 to be available to bind to it. There are ways to do it via loading a driver, loading a module into LSASS, rebooting the target machine - which are all bad for OPSEC.

This module solves this problem in an OPSEC safe way.

Original research - https://specterops.io/blog/2024/08/01/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover/
Original code - https://github.com/zyn3rgy/smbtakeover

Used Gemini Pro to generate the NXCModule class. Validated after it.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Deprecation of feature or functionality
  • This change requires a documentation update
  • This requires a third party update (such as Impacket, Dploot, lsassy, etc)
  • This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)

Setup guide for the review

NOTE: User running the module has to have Administrator level access on the machine (to start/stop the services).
NOTE: WMI ports need to be accessible (check firewall).

I used Kaiju chain from Vulnlab to validate the module.

Screenshots (if appropriate):

Pasted Graphic 2

Unbinding and then rebinding works ok.

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
  • I have performed a self-review of my own code (not an AI review)
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sttlr