[Detect] SMB Brute Force

One of the most useful and interesting activities that Reveal(x) can detect is Brute Force attacking by threat actors who have compromised your internal network and are attempting to attack your internal resources like File Shares and Databases.

If you want to test this capability for yourself, the NMAP script smb-brute provides a nice. simple way to trigger the detector.

The following command will trigger an SMB Brute Force detection - providing you use a password or username list of sufficient length. 200 users or passwords will do the trick.

nmap --script smb-brute.nse -p445 <host>

where you replace with the actual ip of the server you want to brute force.