1 00:00:00,490 --> 00:00:08,260 ‫SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports 2 00:00:08,260 --> 00:00:14,680 ‫and communications abstractions such as named pipes and mail slots between computers. 3 00:00:15,170 --> 00:00:21,250 ‫In addition to that, Sambor is freely available SMB server for Unix. 4 00:00:21,430 --> 00:00:25,650 ‫It's an implementation of SMB for Unix like systems. 5 00:00:25,690 --> 00:00:35,080 ‫SMB can run directly over TCP ports one three seven one three nine four four five were on UDP ports 6 00:00:35,290 --> 00:00:37,390 ‫one three seven and one three eight. 7 00:00:37,630 --> 00:00:44,800 ‫Now some versions of SMB protocol has known vulnerabilities, so you should enumerate the assembly services. 8 00:00:45,130 --> 00:00:50,740 ‫Now let's step back into the lab to use MSF modules for SMB. 9 00:00:51,980 --> 00:00:58,820 ‫All right, so you have made a scan over Métis voidable two and three to check to see if the SMB port 10 00:00:58,820 --> 00:01:08,030 ‫is open, type the service's command with a P parameter and SMB port numbers one three nine and four, 11 00:01:08,030 --> 00:01:08,630 ‫four or five. 12 00:01:09,200 --> 00:01:11,050 ‫And the ports are open on both machines. 13 00:01:11,540 --> 00:01:14,390 ‫MSF has a meaningful directory structure. 14 00:01:15,490 --> 00:01:20,600 ‫So you can find SMB related auxillary scanners under this directory. 15 00:01:21,160 --> 00:01:26,320 ‫You're not going to need to write every word, just hit the tab button to complete the commands. 16 00:01:27,520 --> 00:01:35,650 ‫Now, the basic logic behind the enumeration is service banner and version detection, so that means 17 00:01:35,650 --> 00:01:40,630 ‫I will first run the SMB version module show options. 18 00:01:41,810 --> 00:01:46,160 ‫And set our hosts to our target IP addresses. 19 00:01:47,830 --> 00:01:49,090 ‫And then you can run the module. 20 00:01:50,920 --> 00:01:56,890 ‫That module executed very quickly, but look at that, though, it does bring some really good information 21 00:01:56,890 --> 00:01:57,600 ‫about the target. 22 00:01:58,480 --> 00:02:07,630 ‫So as you can see, ten point ten to ten is a Windows Server 2008 R2 Standard Service back one, which 23 00:02:07,630 --> 00:02:09,070 ‫is Métis voidable three. 24 00:02:10,410 --> 00:02:14,360 ‫On the other hand, Métis voidable two has Semba. 25 00:02:15,080 --> 00:02:17,890 ‫Now, why is the version detection important? 26 00:02:18,160 --> 00:02:20,230 ‫I hear you saying and scratching your head. 27 00:02:20,860 --> 00:02:23,160 ‫Well, let's have a look at this Sambor version. 28 00:02:23,950 --> 00:02:26,530 ‫This version of Sanba has a vulnerability. 29 00:02:27,430 --> 00:02:32,530 ‫Even Métis boy has an exploit for this, so I think you get the point. 30 00:02:33,790 --> 00:02:35,110 ‫But just one more point here. 31 00:02:35,470 --> 00:02:40,150 ‫Métis Point saves this information to improve your penetration test. 32 00:02:41,120 --> 00:02:46,660 ‫So let's type hosts as our command with PSY as a parameter. 33 00:02:47,320 --> 00:02:50,860 ‫Now you see Windows seven changed through Windows 2008. 34 00:02:51,960 --> 00:02:56,040 ‫So now let's go with another module, you can try all the others, but. 35 00:02:56,990 --> 00:03:03,710 ‫I'm going to choose SMB Mouse one seven 10, so the options. 36 00:03:05,980 --> 00:03:08,470 ‫Set the host variable. 37 00:03:10,080 --> 00:03:11,010 ‫And run the module. 38 00:03:12,800 --> 00:03:17,450 ‫And it looks like deployable three is vulnerable to MS 17 through 10. 39 00:03:19,180 --> 00:03:22,170 ‫So let's let's Google this vulnerability, shall we? 40 00:03:26,110 --> 00:03:32,290 ‫There are many topics about this vulnerability, and that is Boite has an exploit module for that particular 41 00:03:32,290 --> 00:03:33,010 ‫vulnerability. 42 00:03:34,000 --> 00:03:39,740 ‫So that's a good way, I think, to illustrate how enumeration gives you better results. 43 00:03:40,450 --> 00:03:42,130 ‫So make a note of this vulnerability. 44 00:03:42,340 --> 00:03:43,330 ‫You're going to need it later. 45 00:03:44,240 --> 00:03:47,420 ‫OK, so let's go back to the MSF council. 46 00:03:48,530 --> 00:03:50,130 ‫All right, so this is the last one. 47 00:03:50,930 --> 00:03:53,690 ‫This is the SMB login module. 48 00:03:55,640 --> 00:03:57,650 ‫I will immediately set our host. 49 00:03:59,410 --> 00:04:02,230 ‫Now, I'll need a dictionary file to brute force. 50 00:04:03,350 --> 00:04:04,730 ‫So in a new tab. 51 00:04:06,210 --> 00:04:07,440 ‫I will create one. 52 00:04:08,490 --> 00:04:11,130 ‫For this, you can use the cool tool. 53 00:04:12,310 --> 00:04:14,140 ‫It's really simple and very handy. 54 00:04:15,300 --> 00:04:15,720 ‫The. 55 00:04:16,930 --> 00:04:24,940 ‫So how deep our crawl target page and em for minimum character numbers, for words in the dictionary. 56 00:04:25,850 --> 00:04:28,040 ‫And then the name of the output file. 57 00:04:30,260 --> 00:04:36,020 ‫So here, I'm going to use the address of the GitHub page of Métis Voidable three is the target page 58 00:04:36,020 --> 00:04:39,110 ‫that Google will derive the words from. 59 00:04:42,630 --> 00:04:49,890 ‫So this process can take way too much time, but I'm going to stop it here because the dictionary file 60 00:04:49,890 --> 00:04:50,880 ‫has already been created. 61 00:04:53,720 --> 00:04:56,330 ‫So let's go back to the MSF console and use it. 62 00:04:58,150 --> 00:05:02,080 ‫I'll set the SMB user to vagrant. 63 00:05:04,160 --> 00:05:08,480 ‫So at the pass, fail to that dictionary file. 64 00:05:09,810 --> 00:05:11,250 ‫And then run the module. 65 00:05:15,300 --> 00:05:17,190 ‫So I'm going to interrupt the execution. 66 00:05:19,080 --> 00:05:23,610 ‫Did you see at the beginning of the output, did you notice the green color? 67 00:05:24,670 --> 00:05:29,530 ‫That's because you need to enter the pair, vagrant, vagrant. 68 00:05:30,440 --> 00:05:31,670 ‫OK, so that's what we need. 69 00:05:31,700 --> 00:05:32,780 ‫So make a note of that. 70 00:05:33,940 --> 00:05:39,790 ‫Now, SMB reveal is the valuable information that you get.