I'm aware of a handful of servers I have access to have not had their local Administrator accounts set on them, type in administrator press return and you're in.
I've been playing around with metasploit and the smb_login auxilary scanner.
I have a known test host I can login to with administrator and blank, but I just can't get Metasploit to feedback properly.
I'm using the following options:
BLANK_PASSWORDS true
SMBDomain . (which is the default, I'm thinking this is fine given it's a local administrator account)
SMBPass (set to nothing e.g. blank)
SMBUser Administrator
The output is as follows...
* x.x.x.x:445 - x.x.x.x:445 - Starting SMB login bruteforce
* x.x.x.x:445 - x.x.x.x:445 - This system does not accept authentication with any credentials, proceeding with brute force
* x.x.x.x:445 - x.x.x.x:445 - Correct credentials, but unable to login: '.\administrator:',
* x.x.x.x:445 - Scanned 1 of 1 hosts (100% complete)
* Auxiliary module execution completed
So my question really is, how can I easily record the fact the correct credentials were users / accepted as I have a couple of hundred machines to cover?
Also, any ideas why it was unable to login given the credentials were correct and that I can navigate to shares without issue from another windows box?
Be the First to Respond
Share Your Thoughts