Kali Linux: Membobol Network Neighbourhood / SAMBA

From OnnoWiki
Revision as of 20:38, 10 February 2016 by Onnowpurbo (talk | contribs) (New page: Sumber: http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/ Today, I am going to show you how to exploit an out of date SAMBA server I have running her...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sumber: http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/



Today, I am going to show you how to exploit an out of date SAMBA server I have running here for demo purposes. Now if you aren’t familiar with network enumeration I have a blog on how to use the Basics of Nmap to get you started. Instead of using Nmap though, I am going to be using a module within Metasploit called SMBScan.

This will scan multiple hosts to try and fingerprint a SAMBA Server / SMB Shares on the network. Before we can run this module we need to start up msfconsole, to do this simply open up terminal type “msfconsole” without quotes and press enter. It may take a few minutes for Metasploit to load all the available exploits, modules and payloads. Once Metasploit is finished, let’s type some commands.

type “use auxiliary/scanner/smb/smb_version” without quotes and press enter.

smbscan

You should get a prompt similar to the one above now type “show options” without quotes, this is going to bring up all the different options that can be used with this particular scanner. However, for future reference the show options command works with any module you are trying to use within the framework. (See Screen Shot Below)

show options

Now for the SMB version scanning tool it tells you under the show options what parameters must be fulfilled before running the tool. RHOSTS(Remote Hosts) is required to be set, and the number of THREADS also needs to be set. So lets go ahead and do that type: ”set RHOSTS 192.168.1.0/24” without quotations, this sets the RHOSTS to the IP range we are trying to find the SAMBA server on. Now we need to set our THREADS, and THREADS is just the amount of times it will go through and do a scan.

type: “set THREADS 75” without quotes and press enter. After you have set these parameters you will see something similar to below:

setthreads

Now that we have specified all the necessary parameters, all we need to do is type “run” without quotes and Metasploit will begin running our scan on the network. And for this blog I have setup an un-patched SAMBA server to own.

scanresults

As you can see the SMB scanner found a host running Samba server version 3.0.20. Now all we need to do is do a quick Google search for Samba 3.0.20 exploits. Take note of the host IP address in this case 192.168.1.13 we will need this later.

search

We found several results this one just happens to be on the Metasploit website itself. So it looks like there is a “command execution vulnerability in Samba,” and it also gives the module that will be used to exploit our host and deliver a payload, it’s called “username map script” Now back at our console we are going to type: “use exploit/multi/samba/usermap_script” without quotes and press enter.

Now just like with the SMBScanner we can use the show options command to see what parameters must be set before using this exploit module so let’s go ahead and do that. (See Below).

showoptions

We can see from the show options command that both RHOST (Remote Host) and RPORT (Remote Port) both need to be set before running this exploit. Go ahead and type “set RHOST 192.168.1.13” without quotes. We don’t need to set the RPORT in this case because as you can see in the screen shot it’s current settings are set to 139. Now once you have set all the parameters required to run the exploit, simply type: “exploit” without quotes and Metasploit will begin attacking our SAMBA server.

exploit

And like magic we have a command shell! Meaning we are in the SAMBA server itself, if we type “ls” without quotes this will list the directory, with this exploit we are in the root folder. Now just to be 100% sure we owned this box, I want you to type “whoami” without quotes and you can see below for yourself the server responded with “root” Good Game Samba Box!

whoami

This concludes the owning Samba Servers blog, I will have more introduction blogs coming soon on the Metasploit framework so stay tuned!




Referensi