advice on penetration of ports 139 and 445
I have setup a basic test network that contains a linux box, and a windows box connected to each other by a router. This network is setup offline and is isolated from my main network. With the default settings on the Windows box, WIndows XP SP1, I was able to use metasploit to return a shell. I then decided to fully update and patch the machine and it is now running SP2 with all windows patches. I setup a few basic shares to the linux box as well. Now when I run nmap, port 139 and 445 are the only ports open. I have tried a few thing such as using enum and other tools to try to gain a list of the shares and usernames on the machine. I can get a list of available shares, but the connection is refused when attempting a null session or using enum to get a list of usernames. I tried to use hydra to bruteforce the shares, but do not believe I am doing so correctly.I set the protocol type as smb and the username as Administrator. My thought here was I might be able to brute force the C$ share of the IPC$ share. Where should I go from here? What would be the next step?
I have seen the tutorial written by pureh@te. I tried to follow it, but he ended up focusing on a domain controller and gaining access that way, as far as I could tell. Please correct me if I am wrong. I will do dome more research on smbk4. Thanks for the tip.
thanks, that was exaclty what I was looking for. I was able to use smb4k to mount a share and copy files from it. Now I just need to figure out how to bruteforce the C$ share.