NetBIOS Hacking

You will learn to enumerate the SMB service and exploit it using different brute-forcing and exploitation tools. Also, it covers pivoting and how to leverage net utility to mount the shared drives in the pivot network.

Lab Environment

In this lab environment, the user will access a Kali GUI instance. A vulnerable SMB service can be accessed using the tools installed on Kali on http://demo.ine.local and http://demo1.ine.local

Objective: Exploit both the target and find the flag!

Tools

The best tools for this lab are:

• Metasploit Framework

• Nmap

• Hydra

• Proxychains

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!

Solution

Step 1: Open the lab link to access the Kali GUI instance.

Step 2: Check if the provided machine/domain is reachable.

Commands

Only one provided machine is reachable, i.e., demo.ine.local, and we also found the target's IP addresses.

Step 3: Check open ports on the demo.ine.local machine.

Command

Multiple ports are open on the demo.ine.local machine.

All the ports expose core services of the Windows operating system, i.e., SMB, RDP, RPC, etc.

In this lab, we will perform attacks on the SMB service.

The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. SMB can also communicate with any server program that is set up to receive an SMB client request. Source: https://docs.microsoft.com/en-us/windows-server/storage/file-server/file-server-smb-overview

By default, the SMB service uses either IP port 139 or 445. Also, it is by default installed and present in every windows operating system. However, we can disable or remove it from the system.

There are multiple versions of the SMB protocol.

• SMB1

• SMB 2.0

• SMB 2.1

• SMB 3.0

• SMB 3.0.2

• SMB 3.1.1

SMBv1:

Server Message Block (SMB) is an application layer network protocol commonly used in Microsoft Windows to provide shared access to files and printers. SMBv1 is the original protocol developed in the 1980s, making it more than 30 years old. More secure and efficient versions of SMB are available today. The SMBv1 protocol is not safe to use. By using this old protocol, you lose protections such as pre-authentication integrity, secure dialect negotiation, encryption, disabling insecure guest logins, and improved message signing. Microsoft has advised customers to stop using SMBv1 because it is extremely vulnerable and full of known exploits. WannaCry, a well-known ransomware attack, exploited vulnerabilities in the SMBv1 protocol to infect other systems. Because of the security risks, support for SMBv1 has been disabled. Source: https://kb.iu.edu/d/aumn

SMBv1 is used in the old Windows operating system. However, it is still present in the latest Windows OS too. We can disable/enable all SMB versions by modifying the windows registries.

SMBv1 onwards, all the versions are reasonability secure. They provide many security protections, i.e., disabling insecure guest logins, pre-authentication integrity, secure dialect negotiation, encryption, etc.

While scanning using nmap, we discovered the SMB service port 445.

To learn more about all protocol versions and changes. Please refer to the following link: https://en.wikipedia.org/wiki/Server_Message_Block

Now, let's perform enumeration and exploitation of the SMB protocol.

Step 4: Let's run nmap on port 445 to get more information about the protocol.

Command

-sV: Probe open ports to determine service/version info

-p 139,445: Only scan specified ports

We have received information about both the ports. Also, identified that the target is Microsoft Windows Server 2008 R2 - 2012

Step 5: Now, let's identify all the supported SMB versions on the target machine.

We can quickly identify it using the nmap script smb-protocols.

Command

-p445: Only scan specified port.

--script smb-protocols: Script Scan

We can notice that all three versions are accessible.

There is one more interesting nmap script for the smb protocol to find the security level of the protocol.

Step 6: Let's run the nmap script to find the smb protocol security level.

Command

We have tried to access the target SMB server using a guest user. We have received SMB security level information.

We can find more information from the following link: https://nmap.org/nsedoc/scripts/smb-security-mode.html

This clarifies that the nmap script uses the guest user for all the smb script scan. We can define another user also. But, we need valid credentials to access the target machine.

The guest user is the default user available on all the windows operating systems.

If an attacker has valid credentials on the target machine. Then, command execution is possible. It depends on the user privilege.

Now, let's find that we have the Null Session, i.e Anonymous access on the target machine using the smbclient tool.

smbclient

smbclient is a client that can 'talk' to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on. Step 7: Let's run the smbclient tool to find that we have anonymous access on the target machine.

Commands

We can access the target using anonymous login.

Step 8: Now, we have anonymous access to the target machine. We can smoothly dump all the present windows users using the nmap script.

Let's find all the present users using nmap smb-enum-users script.

Command

There are a total of four users present. admin, administrator, root, and guest

The guest and administrator users are built-in accounts.

Now, let's find the valid password for admin, administrator, and root user.

Step 9: First, let's create a file (users.txt) and keep all these users

Now, let's run the hydra tool for brute-forcing the SMB protocol to find the valid password of the provided users.

Command

-L: List of users

-P: Password list

demo.ine.local smb: Target Address and Target Protocol

We have successfully retrieved valid passwords for all three users.

Step 10: Now, we can use the Metasploit framework and run the psexec exploit module to gain the meterpreter shell using the administrator user valid password.

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description. Source: https://www.rapid7.com/db/modules/exploit/windows/smb/psexec/

Let's start the Metasploit framework and exploit it!

Commands

Note: If the exploit won't give you a meterpreter session. Try again!

Success!. We have received a meterpreter session.

Step 11: Now, we will discover target machine information, e.g., current user, system information, arch, etc.

Commands

We notice that target is running a windows server, and we have received a meterpreter session with "SYSTEM" (or "NT Authority") privileges on the machine.

Step 12: Let's read the flag.

Command

We have found the FLAG1: 8de67f44f49264e6c99e8a8f5f17110c

Step 13: Let's check if we can access demo1.ine.local from the compromised host.

Before, ping to the second target machine from the compromised host. We need to know the IP address for the demo1.ine.local host.

Remember, when we did ping to both the targets and discovered IP addresses of these target machines:

1. demo.ine.local: 10.0.17.62

2. demo1.ine.local : 10.0.22.69

Now, let's ping to the 10.0.22.69 and verify that it is reachable from the second machine.

Commands

We can access the demo1.ine.local machine, i.e., 10.0.22.69.

However, we cannot access that machine (10.0.22.69) from the Kali machine. So, here we need to perform pivoting by adding route from the Metasploit framework.

Step 14: Let's add the route using the meterpreter session and identify the second machine service.

Commands

We have successfully added the route to access the demo1.ine.local machine.

Step 15: Now, let's start the socks proxy server to access the pivot system on the attacker's machine using the proxychains tool.

First start the socks4a server using the Metasploit module.

Socks4a Proxy Server

This module provides a socks4a proxy server with built-in Metasploit routing to relay connections. Source:: https://www.rapid7.com/db/modules/auxiliary/server/socks4a/

Note: The proxychains should have configured with the following parameters (at the end of /etc/proxychains4.conf):

Command

We can notice, socks4 port is 9050.

Now, let's run the Metasploit socks proxy auxiliary server module on port 9050.

Commands

We notice that SRVPORT is 1080, and VERSION is 5 mentioned in the module options. But, we need to set the port to 9050 and the version to 4a. Let's change both the values then run the server.

Commands:

We can notice that the server is running perfectly.

Step 16: Now, let's run nmap with proxychains to identify SMB port (445) on the pivot machine, i.e. demo1.ine.local

We could also specify multiple ports. But, in this case, we are only interested in SMB service.

Command:

demo1.ine.local: The pivot machine

-sT : TCP connect scan

-Pn : Skip host discovery and force port scan.

-sV : Probe open ports to determine service/version info

-p 445 : Define port to scan

This scan is the safest way to identify the open ports. We could use an auxiliary TCP port scanning module. But those are very aggressive and can kill your session.

We notice that port 445 is open on the target machine.

Step 17: Now, let's use the net view command to find all resources shared by the demo1.ine.local machine.

Interact with the meterpreter session again.

Commands:

]

We have received the Access is denied. message.

Well, currently, we are running as NT AUTHORITY\SYSTEM privilege. Let's migrate the process into explorer.exe and reaccess it.

Commands:

This time we can see two shared resources. Documents and K drive. And, this confirms that pivot target (demo1.ine.local) allows Null Sessions, so we can access the shared resources. Also, we can achieve the same goal in several ways.

Step 18: Now, we can map the shared drive to the demo.ine.local machine using the' net' command.

Let's map the shared resources, i.e., the Documents and K drive.

Commands:

We successfully mapped the resources to D and K drives.

Step 19: Let's check what is inside these mapped drives.

Commands:

Now that we can browse the shares content, we can download or read it on the attacker's machine.

Let's read the FLAG2 and Confidential.txt files.

Commands:

]

We have found the FLAG2: c8f58de67f44f49264e6c99e8f17110c

This file is the ultimate proof for the client. The organization files are not safe. Therefore, policies and proper configurations should be implemented inside and outside the perimeter.