Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: bug in smb_lookupsid.rb

From: Robin Wood <robin () digininja org>
Date: Thu, 12 Aug 2010 16:50:26 +0100
On 12 August 2010 16:12, Robin Wood <robin () digininja org> wrote:

On 12 August 2010 16:01, HD Moore <hdm () metasploit com> wrote:

On 8/12/2010 9:52 AM, Robin Wood wrote:

On 12 August 2010 15:49, HD Moore <hdm () metasploit com> wrote:

On 8/12/2010 9:41 AM, Robin Wood wrote:

On 12 August 2010 15:37, HD Moore <hdm () metasploit com> wrote:

On 8/12/2010 6:49 AM, Robin Wood wrote:

It can't get any users from my domain but the fix below looks correct.


Set the SMBUser/SMBPass to get it working on newer windows (requires
authentication to lookupSid now)


I thought it should do but didn't get those as options

msf auxiliary(smb_lookupsid) > show options


Those are advanced options by default (show advanced)


OK, will give that a try.

Should they be moved into normal options as they are now required for
some versions?


Done. r9981.



Thanks I'll give it a go.



Still no luck, the details are correct as its my lab and I've just
logged in with them and checked it. 10.1.1.2 is a domain controller
I've pivoted to through meterpreter on 10.1.1.5.

msf auxiliary(smb_lookupsid) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     10.1.1.2         yes       The target address range or
CIDR identifier
   SMBDomain  corpnet      no        The Windows domain to use for
authentication
   SMBPass    xxx       no        The password for the specified username
   SMBUser    Administrator    no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_lookupsid) > exploit

Error: 10.1.1.2 Rex::Proto::SMB::Exceptions::ErrorCode The server
responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Just to check I port forwarded 445 from 10.1.1.2 through to my
localhost then checked shares, it worked fine.

 smbclient  -L localhost -U administrator
Enter administrator's password:
Domain=[CORPNET] OS=[Windows Server (R) 2008 Standard 6001 Service
Pack 1] Server=[Windows Server (R) 2008 Standard 6.0]

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Public          Disk
        share2          Disk
        shared          Disk
        SYSVOL          Disk      Logon server share
        Users           Disk
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available

Any ideas?

An extra thing I've come across, how do you remove a port forward? I added

portfwd add -l 445 -p 445 -r 10.1.1.2
[*] Local TCP relay created: 0.0.0.0:445 <-> 10.1.1.2:445

and assumed delete would be

portfwd del  -l 445 -p 445 -r 10.1.1.2

but no luck, no other options I tried worked either.

Robin
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: