Exploiting Port 137 (UDP) – NetBIOS Name Service
The name service operates on UDP port 137. The name service primitives offered by NetBIOS are:
- Add name – registers a NetBIOS name.
- Add group name – registers a NetBIOS “group” name.
- Delete name – un-registers a NetBIOS name or group name.
- Find name – looks up a NetBIOS name on the network.
Usually, not exploitable but useful for enumeration purposes.
Enumerating using NBTScan
NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.
In this case, not a lot of information but always better than nothing.
Enumerating using Nmap
Nmap contains a handy little script as part of the Nmap Scripting Engine that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.
Enumerating using Metasploit
As expected, MSF has some modules to be used against NetBIOS. Only on currently produces useful info:
Exploiting Port 139 – NetBIOS Session Service
A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. Two applications start a NetBIOS session when one (the client) sends a command to “call” another client (the server) over TCP Port 139.
Enumerating using Nmap
Try to check the correct service version with Nmap:
Only a few Nmap scripts can be run against port 139 to produce some valid info:
Not really satisfying, right? Two other scripts might reveal some info:
Exploiting Port 161 (UDP) – SNMP
Simple Network Management Protocol is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.
Enumerating SNMP using Metasploit
MSF has several modules to enumerate a target using the SNMP features.
This one will only list the remote users:
These results can now be used to attack other services.
This module will give you a full description of the remote system:
Enumerating SNMP using Nmap
Nmap has several NSE scripts that can be used against hosts where SNMP service is running:
Most scripts will give enumeration information, but you might want to exploit the remote machine directly. Try to brute force the SNMP community strings:
For whatever reason, Nmap 7.80 freezes and the script never displays any result.
But Nmap version 7.4 worked perfectly, displaying the “public” string:
Nice! You have got SNMP community string as “public”. Many devices come with default SNMP community strings as public, private, etc. These community strings are used as credentials to read and write SNMP information depending on the configuration. When an attacker, finds an SNMP community string, he can read lots of juicy information from the target machine if the configuration is Read-Only. An attacker can also make modifications if the configuration is Read-Write.
Some of the other scripts will also produce important information about the remote system:
Enumerating SNMP using snmp-check
This is simple SNMP enumerator but it will give you a lot of information:
MSF’s snmp_enum module is an implementation of this tool.
Brute forcing SNMP using onesixtyone
Another tool to bruteforce SNMP community strings is onesixtyone. You can easily find the public string.
You can use the dictionary file from onesixtyone tool itself. This can be much faster than Nmap, but it all depends on the quality of the dictionary file.
Brute forcing SNMP using snmpwalk
SNMPWalk is a popular tool for testing SNMP. This tool acts as SNMP client, and you can use it for your penetration testing when you need to make requests to the SNMP service on the target host.
You can also use this tool to check if a specific community string exists or not. Try to see if “public” community string exists.
If “public” community string is supported, we will be able to see the output as shown in the above figure. Now, try another community string:
As you can see, there is no response from the target host as this community string is not supported. This is how you can use this tool to determine if a specific community string is allowed or not.
Attacking the SNMP service
Use snmpwalk to extract the SNMP data and display it on the terminal. The following command can be used to filter the value of sysName.
Other option is to use the snmpget command:
If the SNMP service was misconfigured with “rw” authorization, an attacker could modify these values using the snmpset utility.
Similarly, you can change the values of any object thus spoofing the responses from responses from SMTP service.
NOTE: By default, the SNMP service in Metasploitable 3 is set to Read Only. If you want to test this attack, you have to change that setting:
No comments:
Post a Comment