Results 1 to 3 of 3

Thread: advice on penetration of ports 139 and 445

  1. #1
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    9

    Default advice on penetration of ports 139 and 445

    I have setup a basic test network that contains a linux box, and a windows box connected to each other by a router. This network is setup offline and is isolated from my main network. With the default settings on the Windows box, WIndows XP SP1, I was able to use metasploit to return a shell. I then decided to fully update and patch the machine and it is now running SP2 with all windows patches. I setup a few basic shares to the linux box as well. Now when I run nmap, port 139 and 445 are the only ports open. I have tried a few thing such as using enum and other tools to try to gain a list of the shares and usernames on the machine. I can get a list of available shares, but the connection is refused when attempting a null session or using enum to get a list of usernames. I tried to use hydra to bruteforce the shares, but do not believe I am doing so correctly.I set the protocol type as smb and the username as Administrator. My thought here was I might be able to brute force the C$ share of the IPC$ share. Where should I go from here? What would be the next step?

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by wasto View Post
    I have setup a basic test network that contains a linux box, and a windows box connected to each other by a router. This network is setup offline and is isolated from my main network. With the default settings on the Windows box, WIndows XP SP1, I was able to use metasploit to return a shell. I then decided to fully update and patch the machine and it is now running SP2 with all windows patches. I setup a few basic shares to the linux box as well. Now when I run nmap, port 139 and 445 are the only ports open. I have tried a few thing such as using enum and other tools to try to gain a list of the shares and usernames on the machine. I can get a list of available shares, but the connection is refused when attempting a null session or using enum to get a list of usernames. I tried to use hydra to bruteforce the shares, but do not believe I am doing so correctly.I set the protocol type as smb and the username as Administrator. My thought here was I might be able to brute force the C$ share of the IPC$ share. Where should I go from here? What would be the next step?
    The next step would be to read up more on what you are trying to do.
    Pureh@te wrote up a tutorial on it tutorial
    this should help get you started. Also with bt3 there is smbk4 which will allow you to "connect" to windows shares.
    hope that helps
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    9

    Default

    I have seen the tutorial written by pureh@te. I tried to follow it, but he ended up focusing on a domain controller and gaining access that way, as far as I could tell. Please correct me if I am wrong. I will do dome more research on smbk4. Thanks for the tip.

    thanks, that was exaclty what I was looking for. I was able to use smb4k to mount a share and copy files from it. Now I just need to figure out how to bruteforce the C$ share.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •