Exploiting Windows XP Using Kali Linux
Join the DZone community and get the full member experience.
In this article, we’ll walk you through how to exploit a live install of Windows XP Service Pack 3. We’ll make use of the well-known vulnerability in the netapi32.dll in the Windows Operating System.
The vulnerability is in fact very dangerous because the attacker is not required to authenticate to the target machine prior to running the attack.
Penetration Testing: A Hands-On Introduction to Hacking
This article is inspired by the book Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman.
The exploit module we’ll make use of through the Metasploit framework is called exploit/windows/smb/ms08_067_netapi.
Before continuing with this tutorial, you’ll need to:
- Have a virtual machine running Kali Linux.
- Have a virtual machine running an unpatched version of Windows XP Service Pack 3.
- Have basic knowledge of the Linux command line.
Please note that it is illegal to perform this attack without the victim’s permission!
Using Metasploit to exploit Windows XP
Start off by firing up both virtual machines.
Log in to Kali Linux, and fire up a terminal window.
Terminal window in Kali Linux
The first thing we’ll need to do is to start the Metasploit Framework.
Enter these commands into the terminal window:
The first command, «service postgresql start,» launches a PostgreSQL database, which Metasploit uses to track your commands.
The next command, «msfconsole,» launches the Metasploit text-based console. This is where we’ll perform our attack.
After «msfconsole» has finished loading (which can take a while), you should see something like this:
As previously mentioned, we’ll use the module, exploit/windows/smb/ms08_067_netapi. We tell metasploit which module to use by entering the following command:
Now that we’ve told Metasploit which exploit module we’d like to use, we need to set some options. Enter this into the command line to show all available options:
Showing options in metasploit
As you see, there are not many options that need to be set.
- RHOST: This is the target machine’s IP-address. We’ll set this in the next step.
- RPORT: This is the port we’ll perform our attack through. The default of 445 is fine.
- SMBPIPE: The browser is the correct SMBPIPE for this attack.
- Exploit Target: This is the target operating system. Automatic targeting is fine for this attack.
In other words, the only option we’ll need to set is the target IP-address. You can find the target IP-address by running «ipconfig» in cmd on your Windows VM. In my case, the IP-address is 10.0.0.17.
The exploit module is now configured and ready to go. But, we’ll also have to tell Metasploit which payload it should install on the target machine. In this attack, we’ll use the payload «windows/meterpreter/reverse_tcp.»
Setting up the exploit in metasploit
The payload windows/meterpreter/reverse_tcp will create a reverse shell.
A reverse shell will push a connection from the target machine (windows) back to the attacker (Kali).
In practice, this means that our Kali machine will open a local port and listen for a connection from the target machine on port 4444 (LPORT).
Note that this isn’t stealthy at all. You should at least change the LPORT to a regular port number like 80 (HTTP) to have any chance of succeeding.
You may have noticed that the LHOST field doesn’t contain anything. We’ll need to set LHOST to our Kali IP-address, which is 10.0.0.107 in my case.
The payload needs this information so the victim machine can connect back to the attacking machine.
Everything’s now set up in Metasploit. Before proceeding, make sure that the Windows firewall is deactivated on your Windows VM.
You should also create a txt-file on your desktop in the Windows VM. The content can be anything you like; we’ll just use it to illustrate the power of this attack.
Now that you’re all set and ready to go, let’s exploit the target machine. Type this command to proceed:
Exploiting Windows XP SP3 Using Kali Linux
What has actually happened here?
When exploiting our target machine (Windows XP), we delivered a payload, which initiated a reverse shell connection.
The reverse shell made our target machine connect back to the attacking machine (Kali Linux), providing a shell connection directly to the Windows Operating System.
Let’s navigate to the file we created earlier in the Desktop folder (on the Administrator user in my case):
Now, we only need to navigate to the Desktop folder and view the content of the file using the «cat» command.
exploit/windows/smb/ms08_067_netapi in kali
Congratulations! You have now gained access to a remote Windows XP operating system, using the exploit/windows/smb/ms08_067_netapi exploit!
Published at DZone with permission of An Eng . See the original article here.
Opinions expressed by DZone contributors are their own.
Добро пожаловать на Old-DOS.ru!
Добро пожаловать на сайт Old-DOS.ru.
Здесь вы найдете много программ и игр для MS-DOS и Windows 3.x/9x.
Ценители — посмотрят. Ностальгирующие — покайфуют. Остальные — советую посмотреть и узнать, что умели еще те компьютеры.
Если у вас есть хорошие программы для DOS, регистрируйтесь и добавляйте!
Всего новостей 534
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21-40 54 |
| Вышел №43 журнала Downgrade |
| Скачать можно здесь: http://dgmag.in/N43/DowngradeN43.pdf (18,1 МБ.) Или у нас в библиотеке: http://old-dos.ru/index.php?page=lib&do=show&id=614#file878 «Тема — «Мультимедиа». Статей по теме довольно много (например, обзоры софта от А. Шаронова, про репетиторы «Кирилла и Мефодия» и кинотиры от В. Сурженко и др.). Есть и не по теме — например, мы с lys написали про программирование знакогенератора MDA из состава ЕС-1840. Ещё есть большая статья Vladislav про Nokia 3410 и 6310i.» Приложение под названием WinGPT написано на языке программирования C, и по большей части создано с использованием стандартного API операционной системы. Из сторонних элементов — только строка состояния, для реализации которой энтузиаст применил собственный код. Для подключения к серверу OpenAI используется стандарт шифрования TLS 1.3, который появился в 2018 году. Об этой системе нет смыла рассказывать, ибо эта система уже стала легендарной. Особо бы хотел выделить интересные вещи, выложенные user83541 — Dr.Web 1.00, AVP 1.0 beta, M-86, текстовый редактор Letter Maker (давно его искал) и прочее. Спасибо за эти редкие программы! Немного статистики по выложенным за указанный период файлам: По сайту в целом за прошедшее время особых новостей нет, конечно, кроме переезда, но про него есть отдельная новость ниже. Подытоживая — что ж, надеюсь, доживём как-нибудь и до 30000 файлов. For abuses about copyright: srzone@mail.ru detector |