SMB Enumeration Demo
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Intermediate
Video Transcription
00:00
>> If you weren't paying attention in
00:00
the PowerPoint now is the time to pay attention,
00:00
because I'm going to go over all the tools
00:00
we just learned about
00:00
SMB from the PowerPoint in a hands-on demo.
00:00
The first thing we're going to use against
00:00
our target is Nmap.
00:00
You'll see here I've a different terminal window
00:00
, I'm using Terminator.
00:00
There it is Terminator. What I
00:00
like about this is you can split it vertically,
00:00
you can split it horizontally,
00:00
and you don't have to open numerous terminal windows.
00:00
I find myself opening many of them.
00:00
That's not to say you can't also split
00:00
this horizontally and vertically,
00:00
but I like the layout of Terminator a little bit better.
00:00
For now let's close these windows and let's run Nmap.
00:00
I'm going to use Nmap against our target 191.68.1.231.
00:00
Script is SMB enums scripts on port 445,
00:00
and we're making it very verbose.
00:00
We can see here that it used
00:00
SMB enum shares as the guest and we can see here,
00:00
if we have anonymous access to admin, we don't 2C.
00:00
We do have read and write access to IPC,
00:00
which of course we can't look at files and directories,
00:00
but maybe we can use eternal blue,
00:00
the exploit if this is vulnerable to it.
00:00
We're not going to do that though for right now.
00:00
Users we can read and Inetpub we can read.
00:00
Ultimately we'd be like to be able to write to a share.
00:00
From here, let's use
00:00
RPC client and we'll use a null session.
00:00
We're not going to put anything for the user,
00:00
I'm just going to leave it blank,
00:00
and I'm just going to hit Enter here.
00:00
We can see we're an RPC client.
00:00
We can do things like the question mark and we can
00:00
see all the different options
00:00
we have and we have a lot here.
00:00
Let's say for example,
00:00
we want to look at the server info.
00:00
Maybe it will give us some info, hopefully.
00:00
We can see here we have a little bit of
00:00
information about this server.
00:00
We can see the OS version.
00:00
Now, what we can also do is look at our query users.
00:00
We need the rid,
00:00
R-I-D, Relative Identifier.
00:00
If you were paying attention before,
00:00
let me clear out this terminal.
00:00
It doesn't like that in RPC client.
00:00
What we can do is query User 500,
00:00
because RID 500 should be the administrator.
00:00
We can see here that it is the administrator account.
00:00
We might be able to brute force the administrator.
00:00
Let's try to see who a user is.
00:00
We're going to query User
00:00
1,000 which should be the first user on this machine.
00:00
We see here that the first user is IEUser and we might be
00:00
able to brute force the login for IEUser.
00:00
Let's get out of this.
00:00
Now let's clear our screen,
00:00
and let's try to brute force this IEUser
00:00
using hydra and see what permissions we have.
00:00
Let's see here hydra,
00:00
l. Since we already know IEUser,
00:00
we could make a list of users that we enumerate with
00:00
L and maybe a text file with all the different users,
00:00
for now we're just using IEUser,
00:00
and I have a custom password list
00:00
here you might want to use something like RockYou.
00:00
I can tell you that
00:00
the password is in RockYou for this user,
00:00
it just takes over 40 minutes to find it.
00:00
That's sometimes the trouble with brute forcing logins,
00:00
is it can take a very long time
00:00
depending on what wordless
00:00
you're using for either a user or a password combination.
00:00
Let this run. Hopefully it doesn't take 40 minutes.
00:00
We see we found that
00:00
IEUser's password is this fancy password here.
00:00
From here, let's clear this out again,
00:00
and let's use Nmap.
00:00
I want to show you the difference now that we
00:00
have an actual username and password.
00:00
I'm going to run Nmap again.
00:00
We're going to do script SMB enum again,
00:00
but we're using script arguments,
00:00
so I'm using SMB,
00:00
username IEUser, SMB password.
00:00
Again port 445 against this machine here.
00:00
You're going to see it gave us
00:00
a whole lot more information,
00:00
SMB enum users.
00:00
It gave us all the different users
00:00
along with their relative identifiers here.
00:00
We found some other users SSHD.
00:00
This machine, we enumerated it
00:00
before and we found port 22 open.
00:00
Here there are SSH users.
00:00
We see also that we have read
00:00
and write privileges to Inetpub,
00:00
which is important because we learned that
00:00
that's the web server.
00:00
We also see enum sessions,
00:00
so we're the only one logged in.
00:00
Let's keep looking here,
00:00
because this is really good information.
00:00
SMB enum groups of different groups, domains,
00:00
so simply adding those arguments in
00:00
the Nmap scripting engine
00:00
gave us a whole lot more information.
00:00
OSEP, like I said,
00:00
enumeration is the key.
00:00
Now that we've found this and we
00:00
see that we can write to Inetpub,
00:00
let's see if we can put something on that server.
00:00
I'm just going to this web server
00:00
here we see this welcome page.
00:00
Now we'll talk about enumerating
00:00
web servers a little bit later.
00:00
But I told you guys to install things like Wappalyzer.
00:00
We can see the web framework is
00:00
ASP.net, so Windows Server,
00:00
it's using IS 7.5,
00:00
we'll also look at things like cookie values,
00:00
we see ASP session ID.
00:00
It's definitely using ASP,
00:00
which if we're looking at shells,
00:00
an ASP shell might be the right thing in this case.
00:00
I'm going to clear our terminal again.
00:00
Now of course I couldn't be splitting
00:00
terminals for you vertically and horizontally,
00:00
but I want to make it look clean for the demo.
00:00
That's why I'm not doing that.
00:00
But let's use SMB client,
00:00
and we're going to enter the password.
00:00
We can use dir,
00:00
we can go to the web root.
00:00
Now I always like to verify.
00:00
Now I see a few hello.asp script here.
00:00
I just want to make sure that I can
00:00
write to this directory.
00:00
If I add that here,
00:00
you'll see that that's right.
00:00
We're in the web root here,
00:00
and then we can then try to write or
00:00
create a shell with MSF Venom.
00:00
We'll talk about shells later,
00:00
but for now let's go ahead and split this vertically.
00:00
Let's create ASP shell with MSF Venom.
00:00
See here MSF Venom, our payload is Windows meterpreter,
00:00
reverse TCP, our listening host is
00:00
our machine because we're creating a reverse connection.
00:00
Our lport is 4444,
00:00
and our format is ASP or making a shell.asp script.
00:00
We've created that,
00:00
we're going to move this to the desktop.
00:00
I told you guys before,
00:00
that Tilda is our current user,
00:00
which is root desktop,
00:00
so I can move it. It's already here.
00:00
I already created it before,
00:00
but I just like knowing where it is exactly.
00:00
Now what we're going to do is we're
00:00
going to launch this Metasploit framework,
00:00
which we'll talk about a lot more later about shells.
00:00
But I'm going to execute
00:00
the Metasploit framework or execute module or
00:00
create a module within
00:00
Metasploit framework, exploit multi handler.
00:00
Here I'm just doing a whole bunch of things that
00:00
I'm executing before I actually started up,
00:00
as opposed to starting it up and
00:00
having to enter each of these individually.
00:00
I already know what I want to do.
00:00
I'm using exploit multi handler.
00:00
I'm setting the payload as Windows meterpreter,
00:00
reverse TCP,
00:00
and you'll notice it's the same things up
00:00
above here with MSF Venom.
00:00
When I run this,
00:00
I'm going to put in the background that's why I have a
00:00
tack j. I'll run
00:00
this and you'll see here it did everything for me.
00:00
It's making it windows meterpreter reverse
00:00
TCP as our payload or lhost, or lport.
00:00
Now what I want to do is put that shell in here.
00:00
I need to name it shell.asp.
00:00
You'll see it didn't like that.
00:00
Let's actually call the full path.
00:00
We see that the full path, it likes that,
00:00
and we can do dir ls,
00:00
and we should see here that our
00:00
shell.asp file is now in the web root.
00:00
What should happen now?
00:00
We can close this.
00:00
It's going to show that ASP,
00:00
[NOISE] we see that a meterpreter session was opened.
00:00
If we go to Sessions,
00:00
we should see that, here it is.
00:00
To interact with it, we just do Sessions 1,
00:00
we can use this info,
00:00
you've dropped into our shell,
00:00
and we now have a shell on this Windows machine.
00:00
Let's look at the various tools that we talked about in
00:00
the PowerPoint or the lecture I should say,
00:00
where we looked at Nmap,
00:00
we looked at RPC client,
00:00
we looked at SMB client,
00:00
but that's using all of those to enumerate
00:00
this machine to ultimately get a shell on it.
Up Next
NFS Enumeration
SMTP Enumeration
SNMP Enumeration
FTP Enumeration
FTP Enumeration Demo
Instructed By
Similar Content
