Metasploit (Enumeration and Scanning)This article shows how to use enumeration and scanning using Metasploit. The focus of enumeration is on the SMB protocol (TCP Port 445). The related lab is here L1.1 Microsoft Windows uses the Server Message Block (SMB) Protocol to share files and folders over a network. Setup your Kali and Windows 7 instance to be on the same network. Get your lab partner to setup a new share on Windows 7, and tell them not to tell you the name of it. L1.2 Now scan the Windows computer for SMB shares with (also run Wireshark on your Kali instance and capture your network traffic): msf > use auxiliary/scanner/smb/smb_enumshares msf auxiliary(smb_enumshares) > set RHOSTS W.X.Y.Z RHOSTS => W.X.Y.Z msf auxiliary(smb_enumshares) > set SMBUser EnCase SMBUser => Administrator msf auxiliary(smb_enumshares) > set SMBPass napier SMBPass => napier msf auxiliary(smb_enumshares) > run [*] W.X.Y.Z:445 - Windows 7 Service Pack 1 (Unknown) [+] W.X.Y.Z:445 - ADMIN$ - (DS) Remote Admin [+] W.X.Y.Z:445 - admin_share - (DS) [+] W.X.Y.Z:445 - C$ - (DS) Default share [+] W.X.Y.Z:445 - IPC$ - (I) Remote IPC [+] W.X.Y.Z:445 - meta_share - (DS) [+] W.X.Y.Z:445 - share_meta - (DS) [+] W.X.Y.Z:445 - Users - (DS) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed L1.3 What is the name of the folder they created: L1.4 From the Wireshark trace, which TCP port that SMB uses to connect: L1.5 Now get your lab partner to create a new user on the Windows 7 instance. L1.6 Now scan the Windows computer for SMB users with: msf > use auxiliary/scanner/smb/smb_enumusers msf auxiliary(smb_enumusers) > set RHOSTS W.X.Y.Z RHOSTS => W.X.Y.Z msf auxiliary(smb_enumusers) > set SMBUser EnCase SMBUser => EnCase msf auxiliary(smb_enumusers) > set SMBPass napier SMBPass => napier msf auxiliary(smb_enumusers) > exploit [*] W.X.Y.Z ENCASE-PC1 [ Administrator, Encase, Guest, user2 ] ( LockoutTries=0 PasswordMin=0 ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed What was the user name they created? Is there are password lock-out? Is there a minimum password length set? L1.7 Now we will try to login with a known username and password: msf > use auxiliary/scanner/smb/smb_login msf auxiliary(smb_login) > set RHOSTS W.X.Y.Z RHOSTS => W.X.Y.Z msf auxiliary(smb_login) > set SMBUser EnCase SMBUser => EnCase msf auxiliary(smb_login) > set SMBPass napier SMBPass => napier msf auxiliary(smb_login) > exploit [*] W.X.Y.Z:445 SMB - Starting SMB login bruteforce [*] W.X.Y.Z - This system allows guest sessions with any credentials [+] W.X.Y.Z:445 SMB - Success: 'WORKSTATION\EnCase:napier' Administrator [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed L1.8 Using the show options command in Metasploit, create a User name file and a Password file with all the following (include the new user name added earlier): Username: Administrator, napier, root, Guest, test, default. Passwords: napier, test, guest, password, changeme Which user names and passwords did it detect? Now get your lab partner to select a password with the name of a Scottish city and, using Metasploit, see if you can guess it. What is the password used: L1.9 Each Windows computer in a domain (or workgroup) has a unique identifier. Now we will find the SID of the machine, and the RID of the users. For example:
msf > use auxiliary/scanner/smb/smb_lookupsid msf auxiliary(smb_lookupsid) > set RHOSTS W.X.Y.Z RHOSTS => W.X.Y.Z msf auxiliary(smb_lookupsid) > exploit [*] W.X.Y.Z PIPE(LSARPC) LOCAL(Encase-PC1 - 5-21-3026846657-1272420173-2154099446) DOMAIN(WORKGROUP - ) [*] W.X.Y.Z USER=Administrator RID=500 [*] W.X.Y.Z USER=Guest RID=501 [*] W.X.Y.Z GROUP=None RID=513 [*] W.X.Y.Z USER=Encase RID=1000 [*] W.X.Y.Z USER=user2 RID=1003 [*] W.X.Y.Z USER=test123 RID=1004 [*] W.X.Y.Z ENCASE-PC1 [Administrator, Guest, Encase, user2, test123 ] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed What is the SID of the Windows 7 computer? Ask another group for their SID. For the Administrator account, is the SID different from yours? What does an RID of 500 identify? What is special about the RID values of 1,000 and above? L1.10 Next we’ll scan for the SMB version: msf > use auxiliary/scanner/smb/smb_version msf auxiliary(smb_version) > set SMBUser EnCase SMBUser => EnCase msf auxiliary(smb_version) > set SMBPass napier SMBPass => napier msf auxiliary(smb_version) > exploit What information gained from the scan: L1.11 On the Windows 7 instance, use the following commands and observe the output: C:> net share Output: C:> net view \\W.X.Y.Z Output: L1.12 Start Wireshark. Next get your lab partner to add a file (and put in a secret message) to the shared folder, and mount the folder with (replace admin_share with the name of your share): smbclient //W.X.Y.Z/admin_share -U Administrator What is the name of the file produced: On the Windows 7 instance, which command would you use to show your network shares? From the trace, can you see the signs of the user accessing the file? NOW SWAP YOUR ROLE WITH YOUR LAB PARTNER. L1.13 Now add your Windows 2003 instance to your network. The person using Windows 2003 should now create an SMB share. For the rest of the lab, click here |