Metasploitable 3 Windows Walkthrough: Part IV

Exploiting Port 137 (UDP) – NetBIOS Name Service

The name service operates on UDP port 137. The name service primitives offered by NetBIOS are:

  • Add name – registers a NetBIOS name.
  • Add group name – registers a NetBIOS “group” name.
  • Delete name – un-registers a NetBIOS name or group name.
  • Find name – looks up a NetBIOS name on the network.

Usually, not exploitable but useful for enumeration purposes.

Enumerating using NBTScan

NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.

Enumerating with NBTScan

In this case, not a lot of information but always better than nothing.

Enumerating using Nmap

Nmap contains a handy little script as part of the Nmap Scripting Engine that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.

Enumerating with Nmap

Enumerating using Metasploit

As expected, MSF has some modules to be used against NetBIOS. Only on currently produces useful info:

Enumerating with Metasploit

Exploiting Port 139 – NetBIOS Session Service

A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. Two applications start a NetBIOS session when one (the client) sends a command to “call” another client (the server) over TCP Port 139.

Enumerating using Nmap

Try to check the correct service version with Nmap:

Checking NetBIOS version with Nmap

Only a few Nmap scripts can be run against port 139 to produce some valid info:

Not really satisfying, right? Two other scripts might reveal some info:

Getting NetBIOS info with Nmap

Getting NetBIOS info with Nmap

Exploiting Port 161 (UDP) – SNMP

Simple Network Management Protocol is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.

Enumerating SNMP using Metasploit

MSF has several modules to enumerate a target using the SNMP features.

This one will only list the remote users:

Enumerating SNMP with Metasploit

These results can now be used to attack other services.

This module will give you a full description of the remote system:

Enumerating SNMP with Metasploit

Enumerating SNMP using Nmap

Nmap has several NSE scripts that can be used against hosts where SNMP service is running:

Nmap SNMP scripts

Most scripts will give enumeration information, but you might want to exploit the remote machine directly. Try to brute force the SNMP community strings:

Brute forcing SNMP with Nmap

For whatever reason, Nmap 7.80 freezes and the script never displays any result.

But Nmap version 7.4 worked perfectly, displaying the “public” string:

Brute forcing SNMP with Nmap

Nice! You have got SNMP community string as “public”. Many devices come with default SNMP community strings as public, private, etc. These community strings are used as credentials to read and write SNMP information depending on the configuration. When an attacker, finds an SNMP community string, he can read lots of juicy information from the target machine if the configuration is Read-Only. An attacker can also make modifications if the configuration is Read-Write.

Some of the other scripts will also produce important information about the remote system:

Enumerating SNMP with Nmap

Enumerating SNMP with Nmap

Enumerating SNMP with Nmap


Enumerating SNMP using snmp-check

This is simple SNMP enumerator but it will give you a lot of information:

Enumerating SNMP with snmp-check

MSF’s snmp_enum module is an implementation of this tool.

Brute forcing SNMP using onesixtyone

Another tool to bruteforce SNMP community strings is onesixtyone. You can easily find the public string.

Brute forcing SNMP with onesixone

You can use the dictionary file from onesixtyone tool itself. This can be much faster than Nmap, but it all depends on the quality of the dictionary file.

Brute forcing SNMP using snmpwalk

SNMPWalk is a popular tool for testing SNMP. This tool acts as SNMP client, and you can use it for your penetration testing when you need to make requests to the SNMP service on the target host.

You can also use this tool to check if a specific community string exists or not. Try to see if “public” community string exists.

Checking public string with SNMPWalk

If “public” community string is supported, we will be able to see the output as shown in the above figure. Now, try another community string:

Checking private strings with SNMPWalk

As you can see, there is no response from the target host as this community string is not supported. This is how you can use this tool to determine if a specific community string is allowed or not.

Attacking the SNMP service

Use snmpwalk to extract the SNMP data and display it on the terminal. The following command can be used to filter the value of sysName.

Filtering sysname with snmpwalk

Other option is to use the snmpget command:

Filtering sysname with snmpget

If the SNMP service was misconfigured with “rw” authorization, an attacker could modify these values using the snmpset utility.

Changing sysname with snmpset

Similarly, you can change the values of any object thus spoofing the responses from responses from SMTP service.

NOTE: By default, the SNMP service in Metasploitable 3 is set to Read Only. If you want to test this attack, you have to change that setting:

image



No comments: