Samba has experienced many security vulnerabilities over the years, especially in the 3.x to 4.x range. Many of these vulnerabilities have been critical. One of the more notable, as pointed out by ChatGPT, is the so-called ‘SambaCry,’ found in versions 2.5.0 through 4.6.4. This vulnerability allows an attacker to execute remote code via a shared file. To avoid being compromised by a 12-year-old kid wielding a simple exploit kit, it’s important to keep your system updated with critical patches and to install the latest software versions.

To demonstrate this attack, I’m using VirtualBox, a virtual machine platform on which I’ve created a network of isolated, vulnerable systems (Metasploitable 2). Think of VirtualBox as a computer within your computer, allowing the installation of operating systems without the need for multiple physical machines. For those unfamiliar with setting up a ‘hacking lab’, check out my tutorial here: https://mad-twash.com/lets-create-a-hacking-lab/ . If you need a more detailed instructional resource, I recommend Network Chucks video on youtube: Network Chuck’s tutorial. Just be on the lookout for him peddling his coffee!

I’ll be using Parrot OS for this demonstration, as it comes with Metasploit pre-installed. The first step is to scan our target, which in my case is 10.0.2.5, with Nmap to see what ports are open. Spoiler alert: we are going to use port 139, which is Samba, of course! I mean, it is the title of this blog post. To begin, open a terminal by pressing Ctrl + Alt + T.

Once you have your terminal open type msfconsole. This will start Metasploit!

We will use db_nmap, because it allows nmap to save its results in the metasploit database. If you are confused about the database setup, see this blog post: https://jamesonhacking.blogspot.com/2018/05/metasploit-database-setup-on-kali.html

Once the scan finishes we can type services into the console to get a simple, clear table of all the ports/services that are open.

Each one of these open ports can probably be exploited, and I plan to make a blog post on each of them. However, today our focus will be on port 139, an unpatched ANCIENT Samba 3.x – 4.x server.

A quick note: port 139 isn’t an exclusive port for Samba. Port 139 is an SMB (Server Message Block) protocol, which is commonly used by Samba for file and printer sharing services over a network.

In the real world, we would analyze the results of the Nmap scan and then research to understand if any of the open ports/services have known vulnerabilities or exploitable weaknesses. In this example, we’ll focus solely on port 139 for demonstration purposes and simplicity. We would note that it’s running Samba and observe the version. A quick Google search would likely alert us to any known vulnerabilities.

Typing search samba into the msfconsole can help us find a match for an exploit. See the screenshot below.

In the screenshot above, we can see the results of our simple search. The first exploit I attempted was number 19. This failed, and I will spare you the screenshots. I encourage you to give it a try. Notice that #19 has ‘Solaris’ in the path, which is not ideal since the system we are attacking is a Linux system, specifically Ubuntu. After correcting that mistake, I chose #17. However, it still failed to exploit the system. Further research on Google led me to try #8. Notice it doesn’t specify ‘Linux’ as the distribution but ‘multi’ instead!

Type the following into the msfconsole to get this Jewel on the road!

Notice that after selecting ‘usermap_script’ as our exploit and hitting enter, part of our prompt turns red. Next, we set the target computer by typing ‘set RHOSTS <target_ip>’. Typing ‘run’ will… RUN the program, of course. I hope you weren’t surprised. That would be a bad sign!

If you see anything like the output in the screenshot above, you have an open session. This means that you have successfully exploited the target computer and now have complete and total access to it. Lets throw some commands at it and see what we can get. Typing ‘whoami’ or the command ‘uname -a’ will provide some information about the system we are on.

In the above example, the ‘whoami’ command indicates that we have root access, or in other words, that we are ‘root.’ It’s a matter of perspective. Typing ‘uname -a’ reveals that we are indeed connected to a Linux machine.

A quick note about this exploit. This particular module named “Samba “username map script” Command Execution” exploits a command execution vulnerability in Samba. It apparently needs no authentication, because the exploit itself maps usernames prior to authentication. This information, and much more can be found by typing info, after using the use command to select the module.

We could have also chose a payload to send to the target computer by typing show payloads and then choosing one with set payload <number>. In the example above we use almost all the default settings, including the payload. We just set the RHOST, which is the target machine. If you do type show payloads you will see that there are 40 options for this specific exploit! Try some!

The next step after exploiting a system would be to upload a program to keep persistent access, or search the system for passwords at /etc/shadow. You will need a program like “John the Ripper” or “Hashcat” to deal with these hashes. Stay tuned for more exploits in Metasploit! Please leave a comment or check out one of my other guides for more!