How To Detect Nmap SMB Brute-Force Attack Using Wireshark

by Sunny Hoi

Advantages of Nmap SMB Brute

We will use the Nmap smb-brute script which tries to guess username and passwords over SMB. Each attempt rendered by the script is to retrieve a genuine list of users and to confirm every username prior to actually deploying them.

After a username is found, it is preserved in the Nmap registry. Hence, if you decide to use the smb-brute script, you may execute other smb scripts if you desire.

SMB is a protocol that is appropriate for bruteforcing and when weak passwords are discovered, accessing a system may be achieved.

Nmap has many additional features including the ability to work with Proxychains in Kali Linux. Furthermore, Nmap is also used by hackers to evade firewalls and intrusion detection systems (IDS).

Uncovering a password on SMB is considerably advantageous for a penetration tester because passwords disclosed against Windows with SMB may also be deployed on custom web applications, Linux, or MySQL.

As an account is uncovered, it is saved in the smb module, and the bruteforce attempts always attempt a blank password in the initial attempt succeeded by unique passwords where the usernames are reversed. As such guessing attempts are depleted, the unpwdb password list is employed.

Brute Force Attack Detection Using Wireshark

Our tutorial will show how to detect Nmap SMB Brute-force attacks using Wireshark in Kali Linux. This is helpful for network forensic analysts and network defenders, particularly those working for militaries.

The victim will act as the network defender/forensic analyst while the attacker will serve as a cyber adversary.


Note: This is a penetration testing and digital forensics tutorial.


1. Open Wireshark On The Victim Machine

Wireshark will permit us to detect SMB brute-force attacks launched by the hacker later on.

In our tutorial, the victim machine is using the Windows operating system.

2. Find Out The Victim’s IP Address

Open the Run dialog by first going to the Windows 10 taskbar and clicking the “Search” or “Cortana” icon. Type in “run” to open the Run desktop app.

Type in “cmd” to open the Command Prompt (You can also just type cmd directly into the search box of the taskbar to open the Command Prompt without opening the Run dialog).

Enter ipconfig into the Command Prompt. Scroll to find the appropriate interface.

For our example, we’ll be looking at the section of “Ethernet adapter Ethernet:” Next to IPv4 address, take note of the victim’s IP address.

We see that the victim’s IPv4 address is 192.168.2.2.

3. Login To The Attacker Machine (Kali Linux)

To launch the Nmap smb-brute force attack on the victim, we will want to login to our attacker machine which is running Kali Linux.

The default root account credentials for Kali Linux is root/toor.

4. Open A Terminal On The Attacker Machine (Kali Linux) And Type In Nmap Command

When you have opened a new terminal in Kali, type in the following:

nmap (the victim’s IP address) –script smb-brute

Our example would be: nmap 192.168.2.2 –script smb-brute

Do not press ENTER on the above nmap command yet. Just leave the line in terminal for now.

5. Go Back To Wireshark On The Victim Machine And Select The Interface

Select your interface in Wireshark. For instance, we’ll choose Ethernet.

Press the shark icon on the left (Located right below the File menu).

6. Go Back To The Attacker Machine (Kali Linux)

Press ENTER on your keyboard to start the Nmap SMB Brute attack (Our command is nmap 192.168.2.2 –script smb-brute).

You’ll receive a message in terminal telling you that Nmap is starting.

7. Open A New Terminal On The Attacker Machine (Kali Linux) To Find Attacker’s IP Address

Once a new terminal is opened on the attacker machine, enter the following to find the attacker’s IP address:

ifconfig

Under the appropriate interface, look for the attacker’s IP address. For instance, we look at the IP address next to “inet“. Therefore, 192.168.2.3 will be our attacker’s IP address.

8. Go Back To Wireshark On The Victim’s Machine And Apply A Display Filter

We will apply the attacker’s IP address that we found in the previous step which in our case is 192.168.2.3. This is necessary to acquire all the packets.

Thus, type in the following:

ip.addr== (the attacker’s IP address)

Our example would be: ip.addr== 192.168.2.3

Click on the right arrow icon located towards the right of the display filter box to apply the filter.

Examine The Digital Forensic Evidence

Wireshark will reveal the various usernames. We can see that brute-force attempts have been performed by the hacker. The attacker has tried the user root (User: \root) but is granted a logon failure (STATUS_LOGON_FAILURE).

We can see that the user admin (User: \admin) has been attempted, but a logon failure has occurred as well (STATUS_LOGON_FAILURE).

We can also observe the fact that the user administrator (User: \administrator) has had its account disabled (STATUS_ACCOUNT_DISABLED).

Other usernames include user, web, test, webadmin, sysadmin, netadmin.

Hence, we can clearly see that using Wireshark shows the network defender/analyst that the hacker is using a brute-force attack on SMB.

We can also evidently see the time of the cyber attack, the source IP address, and destination IP address.

We can also see plenty of other information that will assist with our digital forensic analysis. Notably, our example illustrates that we can see the ethernet adapter and MAC addresses including VMware.

Clearly, the more information we have, the better it is for our network forensic analysis.

We can also go to the SMB section to gather additional digital forensic information and evidence. As you can see, Wireshark permits us to obtain the header details by clicking on SMB Header. Thus, we can see the response time, signature, and user id.

We can gather more information by clicking the NetBIOS Session Service. We are provided with information such as the length.

Under the Transmission Control Protocol section, we can see the source port and destination port.

Under the Internet Protocol Version section, we can find the source IP address and destination IP address. This information is useful for evidence confirmation purposes. If we scroll down the section, we can evidently see the source IP address and destination IP address organized for us to view.

Conclusion

Unsurprisingly, Wireshark is a handy tool that is often used in militaries by network defenders to defend government systems and networks.

Network forensics plays a crucial role for not merely locating the source of a cyber attack, but can also tremendously enhance the security of a corporation or military that is involved in the penetration testing and network defence.

Related Posts