Multiple ways to Connect Remote PC using SMB Port

In this article, we will learn how to connect with victim’s machine via SMB port 445, once you have collected username and password to your victim’s PC. To know how collect username and passwords to your remote host via SMB protocol click here and to understand what is SMB protocol, click here

Table of content

Exploiting Windows Server 2008 R2 via SMB through Metasploit inbuilt exploits:

  • Microsoft Windows Authenticated User Code Execution
  • Microsoft Windows Authenticated Powershell Command Execution
  • Microsoft Windows Authenticated Administration Utility
  • SMB Impacket WMI Exec

Third party Tools

  • Impacket (psexec)
  • Impacket (atexec)
  • Psexec exe
  • Atelier Web Remote Commander

Exploiting Windows 2007 via SMB through Metasploit inbuilt exploits:

  • MS17-010 EternalRomance SMB Remote code execution
  • MS17-010 EternalRomance SMB Remote command execution

Let’s Begin

Tested on: Winodows Server2008 R2

Attacking Machine: Kali Linux

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

Here,

rhost –> IP of victim PC

smbuser –> username

smbpass –> password

Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.

Microsoft Windows Authenticated Powershell Command Execution

This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the window entirely.

Once again as the commands run you will gain a meterpreter sesion of victim’s PC. And therefore, you can do as you wish.

Microsoft Windows Authenticated Administration Utility

This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the “psexec” utility provided by SysInternals. Daisy chaining commands with ‘&’ does not work and users shouldn’t try it. This module is useful because it doesn’t need to upload any binaries to the target machine.

Thus first, in a new metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on host.

Copy the highlighted text for malicious dll code.

As soon as we run psexec auxiliary we will get meterpreter session with as administrator.

SMB Impacket WMI Exec

This module is similar approach to psexec but executing commands through WMI.

Impacket for Psexec.py

Psexec.py lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.

Now let’s install the Impacket tools from GitHub. You can get it from here. Firstly, clone the git, and then install the Impacket and then run psexec.py to connect victim’s machine.

Syntax: ./psexec.py [[domain/] username [: password] @] [Target IP Address]

Impacket for Atexec.py

This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

Syntax: /atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]

As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.

PsExec.exe

Psexec.exe is software that helps us to access other computers in a network. This software directly takes us to the shell of the remote PC with advantage of doing nothing manually. Download this software from –> http://download.sysinternals.com/files/PSTools.zip.

Unzip the file once you have downloaded it. Go to you command prompt and type:

Here,

192.168.1.104 –> is the IP of remote host

-u –> denotes username

-p –> denotes password

cmd –> to enter victim’s command prompt

Atelier Web Remote Commander

This is graphical software that let us gain control of victim’s PC that too quite easily.

Once you have open the software give the IP address of your victim’s PC in remote host box along with the username and password in their respective boxes. And then click on connect; the whole victim’s PC’s screen will appear on your Desktop and you will have pretty good view of what your victim is doing.

As you can observe we are having Screen of victim’s machine in front of us.

MS17-010 EternalRomance SMB Remote code Execution

Tested on: Winodows 2007 ultimate

Attacking Machine: Kali Linux

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.

MS17-010 EternalRomance SMB Remote Command Execution

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.

Thus first, in a new metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on host.

Copy the highlighted text for malicious dll code.

As soon as we run psexec auxiliary we will get meterpreter session with as administrator.

In this way we can compromise victim’s machine remotely if we have login credential.

Happy Hacking!!!!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contachere

Comprehensive Guide to SSH Tunnelling

Basically tunnelling is process which allows data sharing or communication between two different networks privately. Tunnelling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:     

  1. Dynamic SSH tunneling
  2. Local SSH tunneling
  3. Remote SSH tunneling

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

SSH server (two Ethernet interface) 

IP 192.168.1.104 connected with remote system

IP 192.168.10.1 connected to local network system 192.168.10.2

SSH client (local network) holds IP 192.168.10.2

Remote system (outside network)

In following image we are trying to explain SSH tunneling process where a remote PC is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client (raj), remote PC will create SSH tunnel which will connect with the local system via SSH server (Ignite).

NOTE: Service SSH must be activated

 

Given below image is describing the network configuration for SSH server where it is showing two IP 192.168.1.104 and another 192.168.10.1

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Dynamic SSH Tunneling through Windows

Remote Pc is trying to connect to SSH server (192.168.1.104) via port 22 and get successful login inside server. Here we had used putty for establishing connection between SSH server (Ubuntu) and remote user (Windows).

Similarly now Remote PC trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for Dynamic SSH tunneling

  • Choose option SSH >Tunnel given in the left column of category.
  • Give new port forwarded as 7000 and connection type as dynamic and click on ADD at last.

Now connect to SSH server 192.168.1.104 via port 22 and then click on open when all things get set.

First it will connect to SSH server as you can see we are connected with SSH server (Ignite).

Now login into putty again and give IP of client system as Host Name 192.168.10.2 and Port 22 for SSH then click on open.

Open previous running window of putty choose Proxy option from category and follow given below step:

  • Select proxy type as SOCKS 5
  • Give proxy hostname as 127.0.0.1 and port 7000
  • Click on open to establish connection.

Awesome!! We have successfully access SSH client (raj) via port 7000

Dynamic SSH Tunneling through Kali Linux on Port 80

Now we are employing Kali Linux for SSH tunneling and demonstrating how an attacker or Linux user can take privilege of Tunneling and can established SSH connection with client systems.

 ssh -D 7000 [email protected]

Enter user’s password for login and get access of SSH server as shown below.

Next we need to set network proxy for enabling socksv5 and for that follow below steps.

  • In your web browser “Firefox” go to option for general setting tab and open Network Proxy.
  • Choose No Proxy
  • Enable socksv5

Add localhost, 127.0.0.1 as Manual proxy

So from given below image you can perceive that now we able to connect with client: 192.168.10.2 via port 80.

Dynamic SSH Tunneling through Kali Linux on Port 22

Now connect to client machine through given below command:

ssh -D 7000 [email protected]

Install tsocks through apt repository using command: apt install tsocks.

tsocks – Library for intercepting outgoing network connections and redirecting them through a SOCKS server. 

Open the tsocks.conf file for editing socks server IP and port, in our case we need to mention below two lines and then save it.

Server = 127.0.0.1

Server_port = 7000

Now connect to SSH client with the help tsocks using given below command.

tscoks ssh [email protected]

Enter the password and enjoy the access of SSH client.

Local SSH Tunneling through Windows

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.

The only difference between dynamic tunnelling and local tunnelling is that, dynamic tunnelling requires socks proxy for tunnelling all TCP traffic and local tunnelling only required destination IP address.

Step for SSH Local tunneling

  • Use putty to connect SSH server (192.168.1.104) via port 22 and choose option SSH >Tunnelgiven in the left column of category.

  • Give new port forwarded as7000 and connection type as local 
  • Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.
  • Click on open when all things get set.

First this will establish connection between remote pc and SSH server.

Open new window of putty and follow given below step:

  • Give hostname as localhost and port 7000 and connection type SSH.
  • Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Local SSH Tunneling through Kali Linux

Now again we switch into Kali Linux for local tunneling which is quite easy as compare to dynamic. Execute given below command for forwarding port to local machine.

ssh -L 7000:192.168.10.2:22 [email protected]  

Now open a new terminal and type below command for connecting to SSH client.

ssh [email protected] -p 7000

Awesome!! We have successfully access SSH client via port 7000 

Remote SSH Tunneling through Putty

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

First need to install putty in our SSH server (ignite) and then follow given steps.

Step for remote tunneling

  • Enter remote system IP 192.168.1.108
  • Mention port 22
  • Go to SSH>tunnel options

  • Give new port forwarded as7000 and connection type as Remote
  • Destination address as 198.168.10.2:22for establishing connection with specific client and click on ADD at last.
  • Click on openwhen all things get set.

Now server will get connected to Remote system as shown in below image.

Come back to remote system and enter following command to with SSH client machine.

ssh [email protected] -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

Remote SSH Tunneling through Ubuntu

If you are not willing to use putty for remote tunneling then you can execute following command

ssh -R 7000:192.168.10.2:22 [email protected]

Here 192.168.1.10.2 is our local client (raj) IP and 192.168.1.108 is our remote system IP.

Come back to remote system and enter following command to with SSH client machine.

ssh [email protected] -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

4 ways to Hack MS SQL Login Password

In this article, we will learn how to gain control over our victim’s PC through 1433 Port use for MSSQL service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Let’s start!!

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 hydra -L/root/Desktop/user.txt 1433 –P /root/Desktop/pass.txt 16 192.168.1.128 mssql

-P:  denotes path for password list

-L: denotes path of username text file (sa is default user of Mssql)

Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the MSSQL password as [email protected]

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, MSSQL, HTTP, IMAP, rlogin, SSH, Subversion, and MSSQL to name a few

Run the following command

medusa -h 192.168.1.128 –u /root/Desktop/user.txt –P /root/Desktop/pass.txt –M Mssql

Here

-u: denotes username (sa is default user of Mssql)

-P:  denotes path for password list

As you can observe that we had successfully grabbed the MSSQL password as [email protected]

 xHydra 

This is the graphical version to apply dictionary attack via 1433 port to hack a system. For this method to work:

Enter xHydra in your kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select MSSQL in box against Protocol option and give the port number 1433 against the port option.

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username:sa and password of your victim.

Metasploit

This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).

use auxiliary/scanner/mssql/mssql_login

msf auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.1.128

msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/user.txt

msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(scanner/mssql/mssql_login) > set stop_on_success true

msf auxiliary(scanner/mssql/mssql_login) > run

Awesome!! From given below image you can observe the same password: [email protected] have been found by metasploit.

Nmap

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.128

In specfied image you can observe that we had successfully retrieve credential for usersUsername: sa and password: [email protected]

AuthorRahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).   Contact Here

6 Ways to Hack VNC Login Password

In this article, we will learn how to gain control over our victim’s PC through 5900 Port use for VNC service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

 Let’s starts!!

 xHydra 

This is the graphical version to apply dictionary attack via 5900 port to hack a system. For this method to work:

Enter xHydra in your kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select VNC in box against Protocol option and give the port number 5900 against the port option.

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

-P:  denotes path for password list

-s: denote destination port number

-t: Run TASKS number of connects in parallel

Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the VNC password as 098765

Metasploit

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.

Awesome!! From given below image you can observe the same password: 098765 have been found by metasploit.

Patator

 Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as VNC, HTTP, SMB and etc.

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the password of your victim.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, VNC, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Here

-u: denotes username

-P:  denotes path for password list

As you can observe that we had successfully grabbed the VNC password as 098765.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the vnc password as 098765.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Related Posts Plugin for WordPress, Blogger...