This beginner-friendly yet comprehensive guide walks you through step-by-step techniques to enumerate services, brute-force credentials, and exploit SMB vulnerabilities effectively. Perfect for students, cybersecurity enthusiasts, and professionals looking to sharpen their penetration testing skills.

What You’ll Learn:

• Service Enumeration: Use powerful tools like Nmap and smbclient to identify open ports, SMB versions, and shared resources.
• Credential Brute-Forcing: Learn how to use Hydra for cracking usernames and passwords to gain system access.
• Exploitation: Leverage Metasploit’s psexec module to execute payloads and obtain a Meterpreter session on the target system.
• Pivoting: Learn to route traffic through a compromised host using proxychains, enabling access to restricted systems in a pivot network.
• File Access & Flag Capture: Retrieve sensitive files and uncover hidden flags as part of the challenge.

Lab Highlights:

1. Realistic Scenarios: Simulate attacks on a network containing Windows Server Active Directory and Windows 10 systems.
2. Hands-On Tools: Practice using Nmap, Metasploit, Hydra, and proxychains in a controlled environment.
3. Step-by-Step Guidance: Detailed instructions ensure you understand every action.
4. Comprehensive Skills Development: Learn enumeration, exploitation, and pivoting techniques, crucial for real-world penetration testing.

Outcome:

By the end of this lab, you’ll have:

• Discovered open ports and services.
• Gained access to SMB shares using both anonymous and authenticated methods.
• Exploited the SMB protocol to retrieve flags and confidential data.
• Successfully pivoted within a network to access additional targets.

Lab Environment:

1. Kali Linux (Attacker Machine): IP address: 192.168.20.4
2. Windows 10 (First Target): IP address: 192.168.10.4
3. Windows Server Active Directory (Second Target): IP address is hidden within the challenge flags!

The first step in our scenario is to scan the target machine to identify open ports and determine the services running on those ports

Tool: nmap

nmap is a powerful tool used to scan and mapping network to identify open ports, service runnnig, etc ...

Open your terminal and run the following command:

nmap 192.168.10.4

• nmap 1922.168.10.4: performs a basic scan of the top 1024 ports on the IP address 192.168.10.4.

The scan results will show which ports are open and the services running on them.

all the ports expose core service of the windows operating system, SMB, RPC, etc.

What are the first open ports on the target system? (list first four ports)

Answer format: port1 , port2 , port3 , port4

Now that we have identified open ports on the target system, the next step is to focus on the SMB (Server Message Block) protocol, which is commonly used on Windows systems for file and printer sharing. Enumerating SMB helps locate potential vulnerabilities or misconfigurations.

SMB (Server Message Block) Protocol:

1. Network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.
2. Common SMB ports: 139 and 445

There are multiple versions of the SMB protocol:

1. SMB1
2. SMB 2.0
3. SMB 2.1
4. SMB 3.0
5. SMB 3.0.2
6. SMB 3.1.1

Let's run nmap on port 139, 445 to get more information about the protocol and services.

Open you termanil and run the following command:

nmap -sV -p 139,445 192.168.10.4

• -sV:  Determine service/version information for the open ports
• -p:  Only scan specified ports

We have received information about both the ports. Also, identified that the target is Microsoft Windows 10. Also it show the workgroup name of the target machine.

What is the name of the workgroup to which the target belongs?

To understand which Server Message Block (SMB) protocol versions are enabled on the target system, we can use a specialized Nmap script called smb-protocols. This helps in determining the specific SMB versions supported, which is crucial for identifying potential vulnerabilities.

Note: 

• Knowing which SMB versions are active can help determine possible exploits or misconfigurations (especially if SMBv1 is enabled).

Open your terminal and run the following command:

nmap -p 445 --script smb-protocols 192.168.10.4

• -p 445: Only scan specified port (445)
• --script smb-protocols: Script scan to identify the SMB versions

After running the command, the output will display the SMB versions supported by the target machine and we can notice that all three versions are accessible.

Key Notes:

• SMBv1 is outdated and vulnerable.

Follow-Up Acction:

• If SMBv1 is enabled, consider investigating further for exploitation or misconfigurations.

What is the specific version of the outdated SMB?

Answer format: ** ** *.**  

Now will use the smb-security-mode Nmap script to evaluate the security level of the SMB protocol on the target machine. This helps identify whether the SMB server enforces authentication and which security configurations are in place.

By understanding the security mode of the SMB protocol we can determine how access is managed on the target server.

For example, weaker configurations like allowing guest or anonymous access can be exploited to gain unauthorized access.

Open your terminal and run the following command:

nmap -p 445 --script smb-security-mode 192.168.10.4

• -p 445: Limits the scan to port 445, used for SMB traffic
• --script smb-security-mode: Retrieves details about the SMB server's security settings

The previous command provide critical insights into the SMB security settings on the target machine. Here's what each line of the output means:

1. account_used: guest
   • This indicates that the SMB script accessed the server using the default guest account.
2. authentication_level: user
   • This meaning users must provide valid credentials to access most resources.
3. Challenge_response: supported
   • This used to verify user credentials without sending passwords in plaintext.
4. message_signing: disabled
   • meaning the server does not require cryptographic signing of SMB communication. Attackers on the network could intercept or modify SMB traffic.

What is the name of the default account that used?

Testing for Anonymous access helps identify whether the SMB server has been configured to allow unauthenticated users to list or access shared resources. If Null Sessions are enabled, attackers could exploit this to gather critical information about the system or access sensitive files.

Tool: smbclient 

It is a command-line tool that communicates with SMB/CIFS servers, allowing you to interact with shared resources.

Let's run the smbclient tool to find that we have anonymous access on the target machine.

Open your terminal and type following command:

smbclient -L 192.168.10.4

• -L: Lists the shared resources available on the target machine
• 192.168.10.4: IP of the target SMB server

When prompted for a password, simply press Enter without entering anything

If anonymous access is allowed, the output will display a list of shared resources that the guest or unauthenticated user can access.

What is the name of the shared disk available for user access?

In this step, we will use the Nmap script smb-enum-users to list all the Windows users on the target machine. This information is valuable for identifying potential accounts to target in brute-force or credential-guessing attacks.

Why This Step is Important:

• Identify valid usernames for potential attacks.
• Understand account roles (e.g., built-in accounts like administrator or guest).
• Narrow down targets for privilege escalation or password-guessing attempts.

Now on your terminal, run the following command:

nmap -p 445 --script smb-enum-users 192.168.10.4

• -p 445: Specifies port 445, used by SMB services
• --script smb-enum-users: Queries the SMB server to retrieve a list of user accounts
• 192.168.10.4: Target machine

The command will enumerate and display all user accounts on the target machine such as Built-In Accounts like Administrator, Guest and Custom Accounts.

Hint:

• Save all discovered usernames to a text file (e.g., users.txt) for use in brute-force attacks in the next step.

Note:

• Navigate to /Desktop and save the txt file thier.

Which user has a Relative Identifier (RID) of 500 during SMB enumeration?