Port Scan
We do not have SSH, FTP, HTTP ports available but SMB ports (139, 445) are available and open then start enumeration from there.
Lets find out SMB is vulnerable or not? find out smb related nmap nse scripts.
As per above screenshot, SMB service is vulnerable to very famous
for above SMB alert, download mysmb from:-
We do not have SSH, FTP, HTTP ports available but SMB ports (139, 445) are available and open then start enumeration from there.
Lets find out SMB is vulnerable or not? find out smb related nmap nse scripts.
As per above screenshot, SMB service is vulnerable to very famous
ms17-010 vulnerability.
We have a python exploit available on github.
https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py
for above SMB alert, download mysmb from:-
https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
We require an open SMB share on victim machine. For that, we need to add the computer name in our host file and
then scan for open SMB shares.
type vi /etc/hosts and add victim machine in this file as mentioned below.
Now we have open share available.
Before any further process, we thought lets read an exploit once. We found that we need to make couple of changes.
first change - "//" (double slash for bash escape) in the username field of the exploit.
Second change - We would require an .exe (revershell) which could execute and connect us back from victim machine.
Need to setup a handler as like mentioned in below screenshot.
Now run the exploit
You will have shell which is "NT Authority System"
I was wondering. Why must one add '//' to USERNAME? How do you get to that conclusion?
ReplyDelete