1
00:00:00,440 --> 00:00:08,210
SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports

2
00:00:08,210 --> 00:00:14,630
and communications abstractions such as named pipes and mail slots between computers.

3
00:00:15,140 --> 00:00:21,230
In addition to that, Sambor is freely available SMB server for Unix.

4
00:00:21,410 --> 00:00:25,590
It's an implementation of SMB for Unix like systems.

5
00:00:25,640 --> 00:00:35,050
SMB can run directly over TCP ports one three seven one three nine four four five were on UDP ports

6
00:00:35,270 --> 00:00:37,360
one three seven and one three eight.

7
00:00:37,610 --> 00:00:44,770
Now some versions of SMB protocol has known vulnerabilities, so you should enumerate the assembly services.

8
00:00:45,110 --> 00:00:50,720
Now let's step back into the lab to use MSF modules for SMB.

9
00:00:51,960 --> 00:00:58,800
All right, so you have made a scan over Métis voidable two and three to check to see if the SMB port

10
00:00:58,800 --> 00:01:07,980
is open, type the service's command with a P parameter and SMB port numbers one three nine and four,

11
00:01:07,980 --> 00:01:08,610
four or five.

12
00:01:09,180 --> 00:01:11,040
And the ports are open on both machines.

13
00:01:11,520 --> 00:01:14,370
MSF has a meaningful directory structure.

14
00:01:15,470 --> 00:01:20,580
So you can find SMB related auxillary scanners under this directory.

15
00:01:21,110 --> 00:01:26,300
You're not going to need to write every word, just hit the tab button to complete the commands.

16
00:01:27,500 --> 00:01:35,630
Now, the basic logic behind the enumeration is service banner and version detection, so that means

17
00:01:35,630 --> 00:01:40,610
I will first run the SMB version module show options.

18
00:01:41,790 --> 00:01:46,170
And set our hosts to our target IP addresses.

19
00:01:47,810 --> 00:01:49,070
And then you can run the module.

20
00:01:50,890 --> 00:01:56,860
That module executed very quickly, but look at that, though, it does bring some really good information

21
00:01:56,860 --> 00:01:57,570
about the target.

22
00:01:58,380 --> 00:02:07,600
So as you can see, ten point ten to ten is a Windows Server 2008 R2 Standard Service back one, which

23
00:02:07,600 --> 00:02:09,040
is Matus voidable three.

24
00:02:10,220 --> 00:02:17,870
Now, on the other hand, Métis voidable, too, has Semba now why is the version detection important?

25
00:02:18,110 --> 00:02:23,110
I hear you saying and scratching your head, well, let's have a look at this Sambor version.

26
00:02:23,930 --> 00:02:26,510
This version of Sambor has a vulnerability.

27
00:02:27,410 --> 00:02:32,510
Even Métis boy has an exploit for this, so I think you get the point.

28
00:02:33,770 --> 00:02:35,090
But just one more point here.

29
00:02:35,450 --> 00:02:40,120
Métis Point saves this information to improve your penetration test.

30
00:02:41,090 --> 00:02:46,640
So let's type hosts as our command with PSY as a parameter.

31
00:02:47,300 --> 00:02:50,840
Now you see Windows seven changed to Windows 2008.

32
00:02:51,940 --> 00:02:56,020
So now let's go with another module, you can try all the others, but.

33
00:02:56,960 --> 00:03:03,680
I'm going to choose SMB, M.S. one seven 10, show the options.

34
00:03:05,970 --> 00:03:08,460
Set the host variable.

35
00:03:10,030 --> 00:03:10,990
And run the module.

36
00:03:12,750 --> 00:03:17,400
And it looks like Matus employable three is vulnerable to MS 17 through 10.

37
00:03:19,160 --> 00:03:22,130
So let's let's Google this vulnerability, shall we?

38
00:03:26,080 --> 00:03:32,290
There are many topics about this vulnerability, and that is boy has an exploit module for that particular

39
00:03:32,290 --> 00:03:33,010
vulnerability.

40
00:03:33,980 --> 00:03:39,720
So that's a good way, I think, to illustrate how enumeration gives you better results.

41
00:03:40,430 --> 00:03:42,110
So make a note of this vulnerability.

42
00:03:42,320 --> 00:03:43,300
You're going to need it later.

43
00:03:44,230 --> 00:03:47,380
OK, so let's go back to the MSF council.

44
00:03:48,510 --> 00:03:50,110
All right, so this is the last one.

45
00:03:50,910 --> 00:03:53,700
This is the SMB login module.

46
00:03:55,620 --> 00:03:57,600
I will immediately set our host.

47
00:03:59,380 --> 00:04:02,200
Now, I'll need a dictionary file to brute force.

48
00:04:03,330 --> 00:04:04,710
So in a new tab.

49
00:04:06,180 --> 00:04:07,410
I will create one.

50
00:04:08,470 --> 00:04:11,110
For this, you can use the cool tool.

51
00:04:12,260 --> 00:04:14,120
It's really simple and very handy.

52
00:04:15,280 --> 00:04:15,700
The.

53
00:04:16,910 --> 00:04:24,920
For how deep her crawl target, Paige and M for minimum character numbers for words in the dictionary.

54
00:04:25,830 --> 00:04:28,020
And then the name of the output file.

55
00:04:30,250 --> 00:04:36,280
So here, I'm going to use the address of the GitHub page of Metastable three is the target page that

56
00:04:37,120 --> 00:04:39,070
Google will derive the words from.

57
00:04:42,610 --> 00:04:49,870
So this process can take way too much time, but I'm going to stop it here because the dictionary file

58
00:04:49,870 --> 00:04:50,860
has already been created.

59
00:04:53,700 --> 00:04:56,310
So let's go back to the MSF console and use it.

60
00:04:58,130 --> 00:05:02,060
I'll set the SMB user to vagrant.

61
00:05:04,140 --> 00:05:08,460
So the pass fail to that dictionary file.

62
00:05:09,820 --> 00:05:11,230
And then run the module.

63
00:05:15,280 --> 00:05:17,170
So I'm going to interrupt the execution.

64
00:05:19,060 --> 00:05:23,590
Did you see at the beginning of the output, did you notice the the green color?

65
00:05:24,650 --> 00:05:29,510
That's because you need to enter the pair, vagrant, vagrant.

66
00:05:30,420 --> 00:05:31,650
OK, so that's what we need.

67
00:05:31,680 --> 00:05:32,760
So make a note of that.

68
00:05:33,920 --> 00:05:39,770
Now, SMB reveal is the valuable information that you get.