Metasploitable 3 Windows Walkthrough: Part V

Exploiting Port 445 – SMB

This port is used for the Server Message Block sharing files between different operating system i.e. Windows-Windows, Unix-Unix and Unix-windows.

While Port 139 is known technically as “NBT over IP”, Port 445 is “SMB over IP”. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.

One of the first things you can ty is to brute force your access.

Brute forcing SMB using Metasploit

Try using the credentials already in the database:

Accessing SMB with Metasploit

Brute forcing SMB using Hydra

Create and use a custom list for users and passwords:

Brute forcing SMB with Hydra

Brute forcing SMB using Nmap

Nmap could also be used to brute force the SMB service. Unfortunately, the smb-brute script is not working anymore…

Brute forcing SMB with Nmap

Enumerating SMB using Metasploit

Several tools can be used to extract information from the target via the SMB service. As expected, Metasploit has a number of modules that be used on SMB to enumerate the remote machine:

Enumerating SMB with Metasploit

Enumerating SMB with Metasploit

Enumerating SMB with Metasploit

Enumerating SMB with Metasploit

Enumerating SMB with Metasploit

You will get a significant amount of information:

  • SMB versions supported (might be vulnerable);
  • Shared drives (might be exploitable)
  • Usernames (might be used to exploit other services)
  • User Security Identifiers (might be used for exploitation)

Enumerating SMB using Nmap

Nmap has many NSE scripts that can be used against hosts where the SMB service is running, but not all of them return useful results:

Enumerating SMB with Nmap

Enumerating SMB with Nmap

Enumerating SMB with Nmap

Nmap can also be used as a light vulnerability scanner, with some specific scripts specially written for port 445 services.

SMB vulnerability scanning with Nmap

Enumerating SMB using smbclient

There are several other tools available in Kali Linux to enumerate the SMS service.

You can use a tool called smbclient to connect to the Metasploitable 3 box, and list the available shares but you will need a valid username/password.

Listing SMB shares with smbclient

Listing SMB shares with smbclient

NOTE: In the current Kali version you will need to edit the /etc/samba/smb.conf to get the proper results.

Editing the /etc/samba/smb.conf file

Enumerating SMB using smbmap

Listing SMB shares with smbmap

These results from smbmap are critical because you can see that two of the shared folders are writable, therefore potentially exploitable.

Enumerating SMB using enum4linux

Enumerating SMB with enum4linux

Enumerating SMB with enum4linux

Patiently and using several tools you will get a lot of useful information about your target. There are other tools available but, in this case, they return absolutely nothing.

After the enumeration, and using the information retrieved, you can now get to exploit your target via the SMB

Exploiting SMB using Metasploit

MSF has a number of modules available to exploit SMB

Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. The module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

Exploiting SMB with Windows Authenticated User Code Execution

Authenticated PowerShell Command Execution

The old psexec_psh is now deprecated but you can have its functionality by selecting a different target on the psexec module (Target 1-PowerShell). This option will use a valid administrator username and password to execute a PowerShell payload using a similar technique to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the command line using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature-based detection.

Exploiting SMB with Authenticated PowerShell Command Execution

Windows Authenticated Administration Utility

This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the “psexec” utility provided by SysInternals. Daisy chaining commands with ‘&’ doesn’t work so don’t waste your time trying. This module is useful because it doesn’t need to upload any binaries to the target machine.

This is in fact a two-stage attack:

  • First you use a module (web delivery) to get malicious DLL code which you can use as an arbitrary command on the host.
    • Select the appropriate target (Target 3-Regsvr32) and payload
  • Then you use another module (psexec_command) to inject the previous code in the remote machine.

Generate malicious code

As soon as you run auxiliary module psexec_command you will get a Meterpreter session with system privileges.

Running malicious code to get a shell

Impacket WMI Exec

Impacket is a collection of Python classes and functions for working with various Windows network protocols. It is a centerpiece of many different pentesting tools. Apart from being a library, it also contains number of examples which we can use right away for remote command execution.

The following table provides summary of all discussed Impacket Remote Code Execution methods:

Method

RCE type

Port(s) used

psexec.py

interactive shell

tcp/445

dcomexec.py

semi-interactive shell

tcp/135

tcp/445

tcp/49751 (DCOM)

smbexec.py

semi-interactive shell

tcp/445

wmiexec.py

semi-interactive shell

tcp/135

tcp/445

tcp/50911 (Winmgmt)

atexec.py

command

tcp/445

This module uses a similar approach to psexec but executing commands through WMI.

Exploiting SMB with Impacket

Unfortunately, this module doesn’t work in the current Kali release due to Python syntax incompatibilities. The previous image was obtained using Kali 2019.1.

Impacket DCOM Exec

A different approach is to use DCOM to execute remote commands, like creating a user or anything else:

Creating a user with Impacket

Unfortunately, this module also doesn’t work in the current Kali release. But there is another module that tries to dump hashes from the remote machine without executing any agent there.

Dumping hashes with Impacket

Other Metasploit modules

There are other modules created to attack the SMB service, but they require some social engineering because the target needs to access a share on the attacker machine:

  • NTLM Capture (auxiliary/server/capture/smb)
    • This module provides an SMB service that can be used to capture the challenge-response password hashes of SMB client system.
    • Need to run in coordination with auxiliary/spoof/nbns/nbns_response
  • DoS (auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop)
    • It will just crash the remote machine

Eternal Romance Exploit

Eternal Romance is one of the SMBv1 exploits from the leaked NSA exploit collection. This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done:

Check if target is vulnerable:

Checking for Eternal Romance vulnerability

Exploit:

Exploiting the Eternal Romance vulnerability

It is also possible to use the web delivery method to exploit this vulnerability:

  • Run the exploit/multi/script/web_delivery module (set Target 3-Regsvr32)
    • Get a command
  • Run the auxiliary/admin/smb/ms17_010_command module
    • Use the previous command
  • Get a meterpreter shell

Exploiting the Eternal Romance vulnerability

Exploiting the Eternal Romance vulnerability

Eternal Blue Exploit

Eternal Blue is the exploit used to launch the famous WannaCry ransomware attack. Try using Nmap to check for this vulnerability:

Checking for Eternal Blue vulnerability

Exploit:

Exploit Eternal Blue

Double Pulsar Exploit

You can deploy a backdoor to the remote machine. First, clone the appropriate GitHub repository:

Preparing the Double Pulsar payload

NOTE: You need to install wine32 before running this script

  • dpkg --add-architecture i386
  • apt-get update
  • apt-get install -y wine32

Deploy the backdoor:

Deploying the Double Pulsar backdoor

Exploit using Metasploit

Exploiting Double Pulsar

Exploiting SMB using Impacket

The psexec.py script lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software.

Exploiting SMB with Impacket scripts

The smbexec.py method takes advantage of the native Windows SMB functionality to execute arbitrary commands on the remote system. This approach does not require anything to be uploaded on the remote system and is therefore somewhat less prone to detection.

Exploiting SMB with Impacket scripts

The wmiexec.py script uses Windows Management Instrumentation (WMI) interface of the remote Windows system to spawn a semi-interactive shell. Similarly as dcomexec method, wmiexec requires communication over 3 network ports / services.

First it uses ports tcp/135 and tcp/445, and ultimately it communicates with the Winmgmt Windows service over dynamically allocated high port such as tcp/50911. This makes the wmiexec method more noisy than the other methods.

Exploiting SMB with Impacket scripts

There are other Impacket scripts, not all of them allowing RCE but some of them potentially very useful against a Domain Controller. You can find them at /usr/share/doc/python3-impacket/examples


2 comments:

ilmubersama.com said...

where you got /usr/share/wordlists/Metasploitable3Win_user.txt

Unknown said...

ur ann