Thursday, October 18, 2012

Mounting SMB shares over Meterpreter


Ok, this is pretty straight forward no magic:
Screen Shot 2012 10 17 at 11 00 16 AM
Got a shell, doesn't have to be SYSTEM
Screen Shot 2012 10 17 at 11 00 44 AM
Add a route to the internal range or directly to the host you want over the session you want
Screen Shot 2012 10 17 at 11 01 23 AM
Mosy on over  to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct.
Screen Shot 2012 10 17 at 10 52 29 AM
It defaults to 9050 on 127.0.01 for Tor, that's pretty easy to cope with and no reason to mess with it if you actually use it for Tor for other things.
Screen Shot 2012 10 17 at 11 03 00 AM
Run the socks proxy with the Tor-like settings. (Remember to shutdown Tor first)
Screen Shot 2012 10 17 at 11 04 34 AM
And the rest is gravy. The % (percent sign if blog software mangles it) is a delimiter that smbclient and other samba tools recognize between user and password (so it doesn't prompt you for it).
And just to love it working:
Screen Shot 2012 10 17 at 11 04 53 AM
yay files.. Yes I know I didn't use smbmount but it works the same as well as rpcclient.
A side note here is if you are using the pth-tools from:
https://code.google.com/p/passing-the-hash/
You can use hashes instead of passwords for stuff like this. But who are we kidding? Who doesn't get clear text passwords anymore ;-)