Samba Exploit [Spawn a command shell on the Victim] 11-17-2013, 07:30 PM
#1
Hello everyone, this will be my 3rd security tutorial.
This particular exploit exploits Samba version 3.0.20 and spawns a remote command shell on the victim.
The tools/programs we will be using today are:
VirtualBox (Unless you use BackTrack 5 R3 or Kali Linux as your main operating system) OR VMware
Backtrack 5 R3 (or Kali Linux)
Metasploitable (You can download it here)
Metasploit (Included in BackTrack 5 R3 and Kali Linux)
I'm not going to explain to you how to set up backtrack, kali linux, or metasploitable on virtualbox because that is not what the tutorial is for.
Alright, on with the tutorial.
First things first, start up Backtrack/Kali and Metasploitable. When it brings you to the login for Metasploitable, type in msfadmin as the user and msfadmin as the password.
After you've done that, get Metasploitable's internal ip by typing this in the console/command prompt -
If your network is set up correctly on the virtual machine, it should do something like this. The ip I put the red box over is where your internal ip should come up, mine is 192.168.1.88
Memorize the ip or store it somewhere incase you forget it.
![[Image: otLdHwZ.png]](http://i.imgur.com/otLdHwZ.png)
Now that you've done that, head over to back track an start up metasploit by opening a terminal window and typing
It will take a minute or so for metasploit to start up. Once it has started up, it should look something like this.
![[Image: NI4UYpZ.png]](http://i.imgur.com/NI4UYpZ.png)
Alright, now that we're done with the first few steps, let's get to the fun part. In the metasploit console you'll type
This scanner (depending on the options you enter in, we'll get to that in a second) scans every host on your LAN to see if they're running samba and what version they're running. Now go ahead and type in "show options" without the quotes. You should get a menu telling you what options there are, as well as what's required and what isn't. It should look like this -
![[Image: AG0y6qU.png]](http://i.imgur.com/AG0y6qU.png)
Now, you'll type
This scans everything on your network from 192.168.1.0 and up to see if they're running samba and what version they're running.
Now we're going to pump the threads up to 75. This tells that the difficulty is 75, meaning it will search harder and do a better scan than if it were set to 1. Go ahead and type in
Once you've done that, it's time to start the scanner. Type "run" without the quotes and give it a second to scan the network.
It should look something like this when it's done -
![[Image: tpEpxf4.png]](http://i.imgur.com/tpEpxf4.png)
Try to find metasploitable's internal ip and next to it it should say
(This is optional)
In the metasploit console type in
This will give you every exploit module that contains the word "samba" in it, this is just so you can see the different types and whatnot. But for this tutorial we're using exploit/multi/samba/usermap_script. This gives us the privilege to perform Remote Command Execution. So in the console type
Now type
and that will give you the options for this particular exploit.
![[Image: HFY5KOz.png]](http://i.imgur.com/HFY5KOz.png)
As you can see one of the options is RHOST. You're going to set the rhost to metasploitable's internal. In the console type in
So for me it would be
And when you're ready, go ahead and type "exploit" without the quotation marks.
If you've done everything correctly, your metasploit window should look something like this.
![[Image: YXlSxWz.png]](http://i.imgur.com/YXlSxWz.png)
BOOM! There you go. You have now spawned a command shell and owned this box. From there, you can type in anything that you'd be able to type in in a Unix machine's command prompt.
I hoped you all liked this tutorial, please feel free to post comments, questions, or concerns and keep the thread alive.
Peace
This particular exploit exploits Samba version 3.0.20 and spawns a remote command shell on the victim.
The tools/programs we will be using today are:
VirtualBox (Unless you use BackTrack 5 R3 or Kali Linux as your main operating system) OR VMware
Backtrack 5 R3 (or Kali Linux)
Metasploitable (You can download it here)
Metasploit (Included in BackTrack 5 R3 and Kali Linux)
I'm not going to explain to you how to set up backtrack, kali linux, or metasploitable on virtualbox because that is not what the tutorial is for.
Alright, on with the tutorial.
First things first, start up Backtrack/Kali and Metasploitable. When it brings you to the login for Metasploitable, type in msfadmin as the user and msfadmin as the password.
After you've done that, get Metasploitable's internal ip by typing this in the console/command prompt -
Code:
ifconfigIf your network is set up correctly on the virtual machine, it should do something like this. The ip I put the red box over is where your internal ip should come up, mine is 192.168.1.88
Memorize the ip or store it somewhere incase you forget it.
Now that you've done that, head over to back track an start up metasploit by opening a terminal window and typing
Code:
msfconsoleIt will take a minute or so for metasploit to start up. Once it has started up, it should look something like this.
Alright, now that we're done with the first few steps, let's get to the fun part. In the metasploit console you'll type
Code:
use auxiliary/scanner/smb/smb_versionThis scanner (depending on the options you enter in, we'll get to that in a second) scans every host on your LAN to see if they're running samba and what version they're running. Now go ahead and type in "show options" without the quotes. You should get a menu telling you what options there are, as well as what's required and what isn't. It should look like this -
Now, you'll type
Code:
set rhosts 192.168.1.0/24This scans everything on your network from 192.168.1.0 and up to see if they're running samba and what version they're running.
Now we're going to pump the threads up to 75. This tells that the difficulty is 75, meaning it will search harder and do a better scan than if it were set to 1. Go ahead and type in
Code:
set threads 75Once you've done that, it's time to start the scanner. Type "run" without the quotes and give it a second to scan the network.
It should look something like this when it's done -
Try to find metasploitable's internal ip and next to it it should say
Quote:internaliphere:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
(This is optional)
In the metasploit console type in
Code:
search sambaThis will give you every exploit module that contains the word "samba" in it, this is just so you can see the different types and whatnot. But for this tutorial we're using exploit/multi/samba/usermap_script. This gives us the privilege to perform Remote Command Execution. So in the console type
Code:
use exploit/multi/samba/usermap_scriptNow type
Code:
show optionsand that will give you the options for this particular exploit.
As you can see one of the options is RHOST. You're going to set the rhost to metasploitable's internal. In the console type in
Code:
set rhost metasploitableinternaliphereSo for me it would be
Code:
set rhost 192.168.1.88And when you're ready, go ahead and type "exploit" without the quotation marks.
If you've done everything correctly, your metasploit window should look something like this.
BOOM! There you go. You have now spawned a command shell and owned this box. From there, you can type in anything that you'd be able to type in in a Unix machine's command prompt.
I hoped you all liked this tutorial, please feel free to post comments, questions, or concerns and keep the thread alive.
Peace
XMPP - wrath@xmpp.jp
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: KApAKtG.jpg]](http://i.imgur.com/KApAKtG.jpg)
