Forum Thread: Identifying Hosts with Blank, Local, Administrator Passwords

I'm aware of a handful of servers I have access to have not had their local Administrator accounts set on them, type in administrator press return and you're in.

I've been playing around with metasploit and the smb_login auxilary scanner.

I have a known test host I can login to with administrator and blank, but I just can't get Metasploit to feedback properly.

I'm using the following options:

BLANK_PASSWORDS true
SMBDomain . (which is the default, I'm thinking this is fine given it's a local administrator account)
SMBPass (set to nothing e.g. blank)
SMBUser Administrator

The output is as follows...

* x.x.x.x:445 - x.x.x.x:445 - Starting SMB login bruteforce

* x.x.x.x:445 - x.x.x.x:445 - This system does not accept authentication with any credentials, proceeding with brute force

* x.x.x.x:445 - x.x.x.x:445 - Correct credentials, but unable to login: '.\administrator:',
* x.x.x.x:445 - Scanned 1 of 1 hosts (100% complete)
* Auxiliary module execution completed

So my question really is, how can I easily record the fact the correct credentials were users / accepted as I have a couple of hundred machines to cover?

Also, any ideas why it was unable to login given the credentials were correct and that I can navigate to shares without issue from another windows box?

Never Miss a Hacking or Security Guide

Get new Null Byte guides every week.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active