Exploiting Samba CVE-2007-2447

In this tutorial we will exploit a command execution vulnerability in Samba when the "username map script" is enabled. This affects Samba versions 3.0.20 - 3.0.25rc3 (inclusive), further details on the bug can be found here.

To demonstrate this attack we will use Kali Linux (as attacker) and Metasploitable 2 (as target) both running on VirtualBox. The lab setup is as follows:

Metasploitable - 192.168.1.5
Kali Linux - 192.168.1.3

The first thing to do is top perform a scan of the Metasploitable server to see what services are open. This can be done using Nmap, open a terminal and enter the command below (note: if you are using different IPs then substitute your own in).

As you can see Samba is running on ports 139 and 445.

Attacking Samba with Metasploit

Now we need to start Metasploit, open a terminal in Kali and type msfconsole. You should see something like the screenshot below.

Next we want to search for exploit modules relating to Samba. In the msf terminal type "search samba".

Highlight exploit/multi/samba/usermap_script and copy.

Next set the Metasploit module

Then set the RHOST (Metasploitable IP address). Type show options, then set RHOST 192.168.1.5 and finally show options to confirm that the RHOST is set

Now we can run the exploit command. As you can see we have a shell running. We can background the session by doing a ctrl-Z, then type Y

Now that we have access we can enumerate the targets password file. Type the following commands

use post/linux/gather/hashdump
show options
set SESSION 1
exploit

This will display the password hashes for each username. Copy out the Unshadowed password file.

The last step is to crack the hashes. We can use John the Ripper for this, open a terminal and type john then paste the password file in. A list of passwords is shown below.

Attacking Metasploitable VNC Services

Attacking Metasploitable VNC Services

In this tutorial we will exploit the VNC service running on Metasploitable 2. The main use of this service is to allow admins to control other systems remotely. When you discover a running VNC service (normally on port 5900) it should be checked for weak passwords.

To demonstrate this attack we use Kali Linux (as attacker) and Metasploitable 2 (as victim) both running on VirtualBox. If you need help setting up Kali Linux then should look here

Kali Linux: 192.168.1.7
Metasploitable: 192.168.1.4

The first thing to do is to perform a fingerprint of the Metasploitable server to see what services are open. This can be done by using Nmap, open a terminal and enter the command below (note: if you are using different IPs then substitute your own in).

 

 As you can see there are a lot of open services, for this tutorial we will focus on vnc port 5900.

Exploitation

Now that we have identified that the service is running we can check if it using a weak/default passwords. To do this we will use a network logon cracker called Hydra.
The command below checks if the service is using the default password and as you can see it has returned password: password

Now that we know the password we can try and connect to it using vncviewer. We just enter "password" when prompted.

We have now connected as root on the metasploitable box. The last thing to do is extract some information such as passwords. In Linux these are stored in /etc/shadow. The last step would be to retrieve the file and run a password cracking tool such as John the Ripper.