SMB probe
The SMB probe sends a configurable sequence of SMB commands to a target server. VirtuProbe implements the SMB wire protocol from scratch (MS-SMB2, MS-NLMP, SPNEGO/ASN.1) — no third-party SMB library is used, giving full control over every byte of the exchange.
Connection settings
Section titled “Connection settings”| Field | Description |
|---|---|
| Host | Target hostname or IP |
| Port | Server port (default: 445) |
| Dialect | SMB2 (default, supports SMB 2.0.2 through 3.0.2) or SMB1 (CIFS/NT LM 0.12, legacy targets) |
Authentication
Section titled “Authentication”| Type | Description |
|---|---|
| None | Anonymous / null session — no credentials sent |
| NTLM | NTLMv2 with domain, username, and password |
| Pass-the-Hash | NTLMv2 using the NT hash directly (no plaintext password required) |
For PTH, provide the 32-character hex NT hash — the MD4 hash of the UTF-16LE password, extractable from LSASS or NTDS.dit.
SMB3 transport options
Section titled “SMB3 transport options”| Option | Description |
|---|---|
| Sign messages | Enables AES-128-CMAC message signing after SESSION_SETUP (requires NTLM or PTH auth) |
| Encrypt (AES-GCM) | Wraps all messages in SMB2 TRANSFORM_HEADER with AES-128-GCM encryption (SMB 3.1.1, requires auth) |
Command sequence
Section titled “Command sequence”SMB is stateful — commands are sent in order and the session state carries across them. Commands are reorderable by dragging.
Session commands
Section titled “Session commands”| Command | Description |
|---|---|
NEGOTIATE | Opens the connection and negotiates the dialect. Always the first command. |
SESSION_SETUP | Authenticates using the configured auth type. Two-round NTLM exchange is handled automatically. |
TREE_CONNECT | Connects to a share (e.g. public, C$, IPC$). Enter the share name — the UNC path is built from the probe host. |
TREE_DISCONNECT | Disconnects from the current share. |
LOGOFF | Terminates the session on the server. |
ECHO | Keepalive / connection health check. No auth required. |
File operations (SMB2 only)
Section titled “File operations (SMB2 only)”| Command | Description |
|---|---|
FILE_READ | Opens a file path and reads its content. Text files render inline; binary files as base64. |
FILE_WRITE | Creates or overwrites a file with the provided content. |
DIR_LIST | Lists a directory path — returns filenames, sizes, timestamps, and directory flags. |
LIST_SHARES | Enumerates all shares via the SRVSVC named pipe over IPC$. Returns name, type, and comment for each share. |
File operation commands are not available when Dialect is set to SMB1.
Response rendering
Section titled “Response rendering”After NEGOTIATE
Section titled “After NEGOTIATE”The command block shows the negotiated dialect (e.g. SMB3 0x0300), max read/write sizes, and the NT status code.
After LIST_SHARES
Section titled “After LIST_SHARES”Shares are displayed as a card grid — each card shows the share name, type chip (DISK / IPC / PRINT), and the optional comment field. The IPC special share is marked with an additional indicator.
After DIR_LIST
Section titled “After DIR_LIST”The directory contents are shown as a file explorer table:
| Column | Description |
|---|---|
| Icon | Folder or file indicator |
| Name | Entry name |
| Size | File size (empty for directories) |
| Modified | Last write timestamp |
After FILE_READ
Section titled “After FILE_READ”File content is displayed in a code block with a copy button. Text files render inline; binary content appears as base64.
Assertions
Section titled “Assertions”Set an Expected status on any command. The value is an NT status code — enter it as a hex string (e.g. 0x00000000) or decimal. Common values:
| Code | Name |
|---|---|
0x00000000 | STATUS_SUCCESS |
0xC000006D | STATUS_LOGON_FAILURE — wrong credentials |
0xC0000022 | STATUS_ACCESS_DENIED — share or file not accessible |
0xC00000CC | STATUS_BAD_NETWORK_NAME — share does not exist |
0xC0000034 | STATUS_OBJECT_NAME_NOT_FOUND — file not found |
If the actual status differs from the expected value, the history entry is marked as failed.
Variable substitution
Section titled “Variable substitution”{{variable}} placeholders are supported in host, domain, username, password, NT hash, share path, file path, directory path, and file content fields.
History
Section titled “History”The history panel shows the overall success/fail status and the target host for each past execution. Expanding an entry shows each command’s status, NT status code, and any rich response (shares, file listing, file content).