Search This Blog

Sunday, 14 December 2014

Exploiting Samba CVE-2007-2447

In this tutorial we will exploit a command execution vulnerability in Samba when the "username map script" is enabled. This affects Samba versions 3.0.20 - 3.0.25rc3 (inclusive), further details on the bug can be found here.

To demonstrate this attack we will use Kali Linux (as attacker) and Metasploitable 2 (as target) both running on VirtualBox. The lab setup is as follows:

Metasploitable - 192.168.1.5
Kali Linux - 192.168.1.3

The first thing to do is top perform a scan of the Metasploitable server to see what services are open. This can be done using Nmap, open a terminal and enter the command below (note: if you are using different IPs then substitute your own in).



As you can see Samba is running on ports 139 and 445.

Attacking Samba with Metasploit

Now we need to start Metasploit, open a terminal in Kali and type msfconsole. You should see something like the screenshot below.


Next we want to search for exploit modules relating to Samba. In the msf terminal type "search samba".


Highlight exploit/multi/samba/usermap_script and copy.



Next set the Metasploit module


Then set the RHOST (Metasploitable IP address). Type show options, then set RHOST 192.168.1.5 and finally show options to confirm that the RHOST is set


Now we can run the exploit command. As you can see we have a shell running. We can background the session by doing a ctrl-Z, then type Y


Now that we have access we can enumerate the targets password file. Type the following commands

use post/linux/gather/hashdump
show options
set SESSION 1
exploit

This will display the password hashes for each username. Copy out the Unshadowed password file.


The last step is to crack the hashes. We can use John the Ripper for this, open a terminal and type john then paste the password file in. A list of passwords is shown below.


No comments:

Post a Comment