Metasploit SMB and Samba Enumerations

byAdmin 0

Table of Contents

In this article, I’m going to teach you how to do SMB and Samba enumerations using the Metasploit penitration testing tool.

What is enumerations?

enumerations are defined as a process that creates an active connection with target hosts to discover possible attack vectors on the system and can be used for further exploitation of the system.

Enumeration is used to gather the following information

  1. Hostnames
  2. IP tables and routing tables
  3. Application and banners
  4. SNMP and DNS detailes
  5. Usernames, group names
  6. Network shares and services
  7. Service testing and audit configurations

What is SMB enumeration?

SMB, which refers to server newsgroups, is a protocol for sharing files, printers, serial ports, and communication links such as labeled pipes and mail slots between computers.

SMB can run directly over TCP ports 137,139,445 were on UDP ports 137 and 138.

SMB enumeration in metasploit

First, we need to open Metasploit in our system so type the below command on your terminal.

q – is quick mode

									msfconsole -q

Now to check to see if the SMB board is open so type the below command.

P – parameter

139,445 – SMB Port number

									services -p 139,445

Once you type the above command then press enter. Now if any machine has open ports on 139 and 445 on your network that all machines show in your terminal.

enumerations

SMB ports open devices

Now we need to find SMB related auxiliary scanners under this directory. so type the command on below

									use auxiliary/scanner/smb

The above command was not completed but if you execute this command on your Metasploit terminal it will show all suitable commands.

enumerations

Metasploit SMB and Samba Enumerations
All SMB module

Use SMB modules

The basic logic behind the enumeration is service banner and version detection.

choose any module from the SMB list 

									use auxiliary/scanner/smb/smb_version

After executing the above module just type the below command.

									show options

This command will show you the mandatory options. so you fill the all required options. once you complete just run the below command to execute the module.

									run
Metasploit SMB and Samba Enumerations
Execute SMB module

Examples of SMB auxiliary Modules

SMB_ENUMSHARES

The smb_enumshares module, as would be expected, enumeration any SMB shares that are available on a remote system.

									msf > use auxiliary/scanner/smb/smb_enumsharesmsf auxiliary(smb_enumshares) > show optionsModule options (auxiliary/scanner/smb/smb_enumshares):   Name             Current Setting  Required  Description   ----             ---------------  --------  -----------   LogSpider        3                no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)   MaxDepth         999              yes       Max number of subdirectories to spider   RHOSTS                            yes       The target address range or CIDR identifier   SMBDomain        .                no        The Windows domain to use for authentication   SMBPass                           no        The password for the specified username   SMBUser                           no        The username to authenticate as   ShowFiles        false            yes       Show detailed information when spidering   SpiderProfiles   true             no        Spider only user profiles when share = C$   SpiderShares     false            no        Spider shares recursively   THREADS          1                yes       The number of concurrent threads   USE_SRVSVC_ONLY  false            yes       List shares only with SRVSVCmsf auxiliary(smb_enumshares) > set RHOSTS 192.168.1.150-165RHOSTS => 192.168.1.150-165msf auxiliary(smb_enumshares) > set THREADS 16THREADS => 16msf auxiliary(smb_enumshares) > run[*] 192.168.1.154:139 print$ - Printer Drivers (DISK), tmp - oh noes! (DISK), opt -  (DISK), IPC$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC), ADMIN$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC)Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)Error: 192.168.1.162 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)[*] Scanned 06 of 16 hosts (037% complete)[*] Scanned 09 of 16 hosts (056% complete)[*] Scanned 10 of 16 hosts (062% complete)[*] Scanned 14 of 16 hosts (087% complete)[*] Scanned 15 of 16 hosts (093% complete)[*] Scanned 16 of 16 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(smb_enumshares) >

As you can see, most of the systems checked are denied access because it is a scan without login information. Passing user credentials to the scanner can produce very different results.

									msf auxiliary(smb_enumshares) > set SMBPass s3cr3tSMBPass => s3cr3tmsf auxiliary(smb_enumshares) > set SMBUser AdministratorSMBUser => Administratormsf auxiliary(smb_enumshares) > run[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)[*] 192.168.1.160:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)[*] 192.168.1.150:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)[*] Scanned 06 of 16 hosts (037% complete)[*] Scanned 07 of 16 hosts (043% complete)[*] Scanned 12 of 16 hosts (075% complete)[*] Scanned 15 of 16 hosts (093% complete)[*] Scanned 16 of 16 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(smb_enumshares) >

SMB_ENUMUSERS

The smb_enumusers scanner connects to each system through the SMB-RPC service and lists the users on the system.

									msf > use auxiliary/scanner/smb/smb_enumusersmsf auxiliary(smb_enumusers) > show optionsModule options:  Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   RHOSTS                      yes       The target address range or CIDR identifier   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication   SMBPass                     no        The password for the specified username   SMBUser                     no        The username to authenticate as   THREADS    1                yes       The number of concurrent threadsmsf auxiliary(smb_enumusers) > set RHOSTS 192.168.1.150-165RHOSTS => 192.168.1.150-165msf auxiliary(smb_enumusers) > set THREADS 16THREADS => 16msf auxiliary(smb_enumusers) > run[*] 192.168.1.161 XEN-XP-SP2-BARE [  ] [*] 192.168.1.154 METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )[*] Scanned 05 of 16 hosts (031% complete)[*] Scanned 12 of 16 hosts (075% complete)[*] Scanned 15 of 16 hosts (093% complete)[*] Scanned 16 of 16 hosts (100% complete)[*] Auxiliary module execution completed

We can see that when we run the scan without credentials, only the Linux Samba service returns a user list, and passing a set of valid credentials to the scanner will result in a user list for our other destinations.

									msf auxiliary(smb_enumusers) > set SMBPass s3cr3tSMBPass => s3cr3tmsf auxiliary(smb_enumusers) > set SMBUser AdministratorSMBUser => Administratormsf auxiliary(smb_enumusers) > run[*] 192.168.1.150 V-XPSP2-SPLOIT- [ Administrator, Guest, HelpAssistant, SUPPORT_388945a0 ] [*] Scanned 04 of 16 hosts (025% complete)[*] 192.168.1.161 XEN-XP-SP2-BARE [ Administrator, Guest, HelpAssistant, SUPPORT_388945a0, victim ] [*] 192.168.1.160 XEN-XP-PATCHED [ Administrator, ASPNET, Guest, HelpAssistant, SUPPORT_388945a0 ] [*] Scanned 09 of 16 hosts (056% complete)[*] Scanned 13 of 16 hosts (081% complete)[*] Scanned 15 of 16 hosts (093% complete)[*] Scanned 16 of 16 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(smb_enumusers) >

After we pass the credentials to the scanner, the Linux machine does not return to the user group because the credentials are invalid for the system. This is an example of why it is worthwhile to operate the scanner with different settings.

SMB_LOGIN

Metasploit’s smb_login module attempts to log in via SMB in the specified IP range. Once you load the database plugin, the successful login information will be saved there for later use.

									msf > use auxiliary/scanner/smb/smb_loginmsf auxiliary(smb_login) > show optionsModule options (auxiliary/scanner/smb/smb_login):   Name              Current Setting                     Required  Description   ----              ---------------                     --------  -----------   ABORT_ON_LOCKOUT  false                               yes       Abort the run when an account lockout is detected   BLANK_PASSWORDS   false                               no        Try blank passwords for all users   BRUTEFORCE_SPEED  5                                   yes       How fast to bruteforce, from 0 to 5   DB_ALL_CREDS      false                               no        Try each user/password couple stored in the current database   DB_ALL_PASS       false                               no        Add all passwords in the current database to the list   DB_ALL_USERS      false                               no        Add all users in the current database to the list   DETECT_ANY_AUTH   true                                no        Enable detection of systems accepting any authentication   PASS_FILE         /usr/share/wordlists/fasttrack.txt  no        File containing passwords, one per line   PRESERVE_DOMAINS  true                                no        Respect a username that contains a domain name.   Proxies                                               no        A proxy chain of format type:host:port[,type:host:port][...]   RECORD_GUEST      false                               no        Record guest-privileged random logins to the database   RHOSTS                                                yes       The target address range or CIDR identifier   RPORT             445                                 yes       The SMB service port (TCP)   SMBDomain         .                                   no        The Windows domain to use for authentication   SMBPass                                               no        The password for the specified username   SMBUser                                               no        The username to authenticate as   STOP_ON_SUCCESS   false                               yes       Stop guessing when a credential works for a host   THREADS           1                                   yes       The number of concurrent threads   USERPASS_FILE                                         no        File containing users and passwords separated by space, one pair per line   USER_AS_PASS      false                               no        Try the username as the password for all users   USER_FILE                                             no        File containing usernames, one per line   VERBOSE           true                                yes       Whether to print output for all attempts

It can be clearly seen that this module has much more functions than other auxiliary modules and is very versatile. First, we will run a scan using the administrator credentials found.

									msf auxiliary(smb_login) > set RHOSTS 192.168.1.150-165RHOSTS => 192.168.1.150-165msf auxiliary(smb_login) > set SMBPass s3cr3tSMBPass => s3cr3tmsf auxiliary(smb_login) > set SMBUser AdministratorSMBUser => Administratormsf auxiliary(smb_login) > set THREADS 16THREADS => 16msf auxiliary(smb_login) > run[*] Starting SMB login attempt on 192.168.1.165[*] Starting SMB login attempt on 192.168.1.153...snip...[*] Starting SMB login attempt on 192.168.1.156[*] 192.168.1.154 - FAILED LOGIN () Administrator :  (STATUS_LOGON_FAILURE)[*] 192.168.1.150 - FAILED LOGIN (Windows 5.1) Administrator :  (STATUS_LOGON_FAILURE)[*] 192.168.1.160 - FAILED LOGIN (Windows 5.1) Administrator :  (STATUS_LOGON_FAILURE)[*] 192.168.1.154 - FAILED LOGIN () Administrator : s3cr3t (STATUS_LOGON_FAILURE)[-] 192.168.1.162 - FAILED LOGIN (Windows 7 Enterprise 7600) Administrator :  (STATUS_ACCOUNT_DISABLED)[*] 192.168.1.161 - FAILED LOGIN (Windows 5.1) Administrator :  (STATUS_LOGON_FAILURE)[+] 192.168.1.150 - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 's3cr3t'[*] Scanned 04 of 16 hosts (025% complete)[+] 192.168.1.160 - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 's3cr3t'[+] 192.168.1.161 - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 's3cr3t'[*] Scanned 13 of 16 hosts (081% complete)[*] Scanned 14 of 16 hosts (087% complete)[*] Scanned 15 of 16 hosts (093% complete)[*] Scanned 16 of 16 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(smb_login) >

You can also pass a list of usernames and passwords to the smb_login module to try brute force login on different machines.

									msf auxiliary(smb_login) > show optionsModule options:   Name              Current Setting  Required  Description   ----              ---------------  --------  -----------   BLANK_PASSWORDS   true             yes       Try blank passwords for all users   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5   PASS_FILE                          no        File containing passwords, one per line   RHOSTS                             yes       The target address range or CIDR identifier   RPORT             445              yes       Set the SMB service port   SMBDomain         WORKGROUP        no        SMB Domain   SMBPass                            no        SMB Password   SMBUser                            no        SMB Username   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host   THREADS           1                yes       The number of concurrent threads   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line   USER_FILE                          no        File containing usernames, one per line   VERBOSE           true             yes       Whether to print output for all attemptsmsf auxiliary(smb_login) > set PASS_FILE /root/passwords.txtPASS_FILE => /root/passwords.txtmsf auxiliary(smb_login) > set USER_FILE /root/users.txtUSER_FILE => /root/users.txtmsf auxiliary(smb_login) > set RHOSTS 192.168.1.150-165RHOSTS => 192.168.1.150-165msf auxiliary(smb_login) > set THREADS 16THREADS => 16msf auxiliary(smb_login) > set VERBOSE falseVERBOSE => falsemsf auxiliary(smb_login) > run[-] 192.168.1.162 - FAILED LOGIN (Windows 7 Enterprise 7600) Administrator :  (STATUS_ACCOUNT_DISABLED)[*] 192.168.1.161 - GUEST LOGIN (Windows 5.1) dale :[*] 192.168.1.161 - GUEST LOGIN (Windows 5.1) chip :[*] 192.168.1.161 - GUEST LOGIN (Windows 5.1) dookie :[*] 192.168.1.161 - GUEST LOGIN (Windows 5.1) jimmie :[+] 192.168.1.150 - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 's3cr3t'[+] 192.168.1.160 - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 's3cr3t'[+] 192.168.1.161 - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 's3cr3t'[+] 192.168.1.161 - SUCCESSFUL LOGIN (Windows 5.1) 'victim' : 's3cr3t'[+] 192.168.1.162 - SUCCESSFUL LOGIN (Windows 7 Enterprise 7600) 'victim' : 's3cr3t'[*] Scanned 15 of 16 hosts (093% complete)[*] Scanned 16 of 16 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(smb_login) >

You should try more options to fully experience this extremely valuable module.

Tags:

Admin

hackingtool.tech is a tech world. you can learn all tech tricks and news

Post a Comment

إرسال تعليق

أحدث أقدم