Exploiting Port 139 – NetBIOS Session Service, Samba
Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. Do you remember what is the exact Samba version that is running on the Metasploitlabe2 VM? Use Nmap to refresh your memory:
The vulnerability in this service takes advantage of the username map script functionality of Samba. There is no filtering of user input, so an attacker could connect to an SMB session, and use shell metacharacters as input for the username, causing the commands to be executed on the remote system. This could allow the attacker to gain a remote shell to the victim machine with root access.
This is extremely easy, just load the Metasploit module and run it.
The default port for the previous exploit is set to port 139 but it can be changed to port 445 as well.
Exploiting Port 445 – SMB, Samba
Confirm version number with Metasploit:
This version of Samba has several vulnerabilities that can be exploited. The first you will explore is the issue with “wide links” being enabled. This feature is enabled by default on older versions of Samba.
It can be exploited to gain access to file shares without authenticating through SMB.
Exploiting SMB using smbclient
You can use a tool called smbclient to connect to the Metasploitable box, and list the available shares without having a valid username/password. Just hit enter when it asks for root’s password, and it will grant you anonymous access.
NOTE: In the current Kali version you will need to edit the /etc/samba/smb.conf to get the proper results.
You can get even better results from smbmap:
What is really important is that you have found a possibly exploitable directory, “tmp”. There is an exploit for this in MSF:
The exploit was successful, so now you can connect again using smbclient, and see if you can get to the rootfs dir.
So, now you have access to browse the root file system. You could continue enumerating the machine, looking at various config files, etc., to see if we can find any other holes. Please note you don’t have full root access here, so some files/directories will not be accessible.
Exploiting Ports 512, 513, 514: r-Services
TCP ports 512, 513, and 514 are known as “r-services”, and have been misconfigured to allow remote access from any host.
These are related to the historically insecure Berkeley r-commands developed back in 1982 based on an early implementation of the TCP/IP protocol stack.
To take advantage of this, make sure the "rsh-client" client is installed (otherwise the system would default to SSH connections), and run rlogin command as your local root user.
NOTE: Current Kali does not include the rsh-client tool. To install it just type apt-get install rsh-client
Exploiting rexec
It is not possible anymore to install the rexec command on Kali and therefore you cannot take advantage of the vulnerable port 512.
Exploiting rlogin
The rlogin command will automatically connect to port 513 and give you a root shell:
Exploiting rshell
The rshell command will automatically connect to port 514 and give you a root shell.
If you run this command (and the same for rlogin) as root, you don’t need to specify it in the command line:
