Metasplot: SMB exploit
An attacker will take the path of least resistance in order to gain access to critical systems and data. During a penetration test we’ll take the same tactic as well.
Frequently this is accomplished by guessing a password to a users account and then either using the privileges of that account to gain access to critical data or escalating that account to an administrator or root level account. Once credentials have been acquired for one host you’ll want to determine what other systems they work against. It is fairly common to gain access to a local administrator account on a workstation or server.
There are a number of ways to accomplish this task but one of the most efficient ways is using the smb_login module of Metasploit Framework for to test a single username/password combination against a lot of boxes very quickly.
This is where the SMB Login Check Scanner can be very useful, as it will connect to a range of hosts and determine if the username/password combination can access the target.
So today’s tutorial we going to brute-force login attempt to the windows shares to get samba credentials by using tools in Kali linux.
First we move to nmap scan to scan the target operating system for SAMBA (smb) enumeration. So my target ip is 192.168.31.2 and i am going to fingerprinting the OS with -A option to enable OS and version detection, script scanning, and traceroute.
Nmap results shows that the target machine had smb with user level authentication. its clearly show we can authenticate smb with username and password.
Next we going to use metasploit framework to brute-login against the smb of target machine. so we going to use smb_login module in msfconsole.
Metasploit’s smb_login module will attempt to login via SMB across a provided range of IP addresses.
#msfconsole
#msf > use auxiliary/scanner/smb/smb_login #msf auxiliary(smb_login) > show options #msf auxiliary(smb_login) > set RHOSTS 192.168.31.2 #msf auxiliary(smb_login) > set SMBUser sathish #msf auxiliary(smb_login) > set PASS_FILE ‘/home/sathish/password’ #msf auxiliary(smb_login) > set THREADS 10 #msf auxiliary(smb_login) > run
Above I used SMBUser has sathish because, My target machines computer name is sathish-PC so there is more chance of having an account with name the sathish and the password is brute-forced using a password file containing word lists in my home directory.
Keep in mind, this is very “loud” as it will show up as a failed login attempt in the event logs of Windows box it touches. Be thoughtful on the network you are taking this action on.
After getting successful brute-force login, we need to enumerates for SMB shares on the target machine with the known set of user credential.
The smb_enumshares module, as would be expected, enumerates any SMB shares that are available on a remote system.
#msf > use auxiliary/scanner/smb/smb_enumshares #msf auxiliary(smb_enumshares) > show options #msf auxiliary(smb_enumshares) > set RHOSTS 192.168.31.2 #msf auxiliary(smb_enumshares) > set SMBUser sathish #msf auxiliary(smb_enumshares) > set SMBPass bhuvi #msf auxiliary(smb_enumshares) > set THREADS 10 #msf auxiliary(smb_enumshares) > run
It will list the SMB share on the target machine and now we need more details about the target for the SID of users and groups.
The smb_lookupsid module brute-forces SID lookups on a range of targets to determine what local users exist the system. Knowing what users exist on a system can help to login.
#msf > use auxiliary/scanner/smb/smb_lookupsid #msf auxiliary(smb_lookupsid) > show options #msf auxiliary(smb_lookupsid) > set RHOSTS 192.168.31.2 #msf auxiliary(smb_lookupsid) > set SMBPass bhuvi #msf auxiliary(smb_lookupsid) > set SMBUser sathish #msf auxiliary(smb_lookupsid) > run
It will list the users and groups on the target machine with SID numbers, its help us to think more about the target system and from known user credential we going to mount the windows share on our attacking computer.
A brute force attack or an aggressive password guessing attack is very noisy and will likely lock out user accounts depending on how the group policies for that domain have been configured.
So brute forcing windows accounts isn’t generally a very good idea due to lockout settings and the possibility of creating a Denial of Service condition. Most windows networks have group policies that enforce a lockout of X minutes after Y failed attempts. As such, brute force attacks are pretty much too risky.