🏠 Home BlogGitHub📚 Buy Me a Book
Edit

🔬SMB - PsExec

Lab 1

🔬 Windows: SMB Server PSexec

  • Target IP: 10.4.16.36

  • SMB exploitation

  • Dictionaries to use:

    • /usr/share/metasploit-framework/data/wordlists/common_users.txt

    • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Enumeration

ping 10.4.16.36

nmap -sV -sC 10.4.16.36
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=EC2AMAZ-408S766
| Not valid before: 2023-03-11T17:43:37
|_Not valid after:  2023-09-10T17:43:37
|_ssl-date: 2023-03-12T17:47:48+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-12 23:17:49
|_  start_date: 2023-03-12 23:13:37

📌 SMB version 2.02

SMB Brute-force

  • Use Metasploit smb_login module to brute force SMB

    • The brute force success is based on the users and password used.

Metasploit smb_login

SMB Exploitation

  • Use PsExec.py script for Linux (from the impacket-scripts) to get a command prompt on the target machine, with the Administrator account.

    • Using this technique, no exploit is launched or uploaded on the target system.

    • It is a legitimate authentication with the actual credentials and the use of an official tool (psexec).

psexec.py

  • Alternatively to the Python script, use Metasploit psexec module to get a meterpreter session on the target system.

    • This technique will upload and run a (malicious) payload on the target. Pay attention to the antivirus!

Metasploit psexec

  • Find the flag, running meterpreter commands

Reveal Flag: 🚩

e0da81a9cd42b261bc9b90d15f780433

Lab 2 - Eternal Blue (Extra)

🔬 Home Lab

I have prepared a vulnerable Windows 2008 R2 Virtual Machine and connected it to the same network of the Kali virtual machine. On the server, I have activated File Services role and created a shared folder with the Administrators Group.

Enumeration

nmap -sV -sC 192.168.31.131
sudo nmap --script smb-vuln-ms17-010 -p445 192.168.31.131

  • 📌 The system is vulnerable to the CVE-2017-0143

Manual Exploitation

  • Generate a shellcode that will be exploited on the target system.

./shell_prep.sh

  • Set a netcat listener on the specified port, in another terminal tab

  • In the AutoBlue terminal tab, use the eternalblue_exploit7.py to exploit the target from the AutoBlue-MS17-010 directory

  • Check the netcat tab for the reverse shell

Reverse Shell Success

Automatic Exploitation

Metasploit ms17_010_eternalblue
Previous🔬IIS - WebDAVNext🔬RDP

Last updated

Was this helpful?