Sunteți pe pagina 1din 13

Hacking Windows with Metasploit

Hacking Windows with Metasploit “La mágica solución para la seguridad de su información” Requirements: 1. For

“La mágica solución para la seguridad de su información”

Requirements:

1. For this hack we will use two virtual machines, one with Windows 2003 Server (our victim) and one with Backtrack Linux (the hacker).

2. The Windows 2003 Server should have the DNS service enabled.

3. Both machines should be able to ping each other, if you want to easy up things you can disable the windows firewall, but for realistic purposes you should enable outside access just to the public services (this includes our DNS target port).

Step-by-step procedure

PART A: Using Metasploit msfcli

1. Turn on both VM’s and check the victim’s IP address. In a real situation you’re supposed to find this on the reconnaissance phase.

you’re supposed to find this on the reconnaissance phase. Taller de Seguridades en Windows Elixircorp S.A.
you’re supposed to find this on the reconnaissance phase. Taller de Seguridades en Windows Elixircorp S.A.
you’re supposed to find this on the reconnaissance phase. Taller de Seguridades en Windows Elixircorp S.A.

2.

2. “La mágica solución para la seguridad de su información” Now go to the hacker machine,

“La mágica solución para la seguridad de su información”

Now go to the hacker machine, open a command prompt and change to the /pentest/exploits/framework3 directory. We’re gonna use the metasploit CLI for this hack.

We’re gonna use the metasploit CLI for this hack. Taller de Seguridades en Windows Elixircorp S.A.
We’re gonna use the metasploit CLI for this hack. Taller de Seguridades en Windows Elixircorp S.A.
We’re gonna use the metasploit CLI for this hack. Taller de Seguridades en Windows Elixircorp S.A.
“La mágica solución para la seguridad de su información” 3. Execute msfcli and search for

“La mágica solución para la seguridad de su información”

3. Execute msfcli and search for DNS related exploits for the Windows platform.

search for DNS related exploits for the Windows platform. 4. Now we’re gonna use the “O”

4. Now we’re gonna use the “O” parameter in order to find the options for this exploit. After that we’ll set the RHOST option to our target IP address and use the “P” parameter for finding a good payload that we can use.

parameter for finding a good payload that we can use. Taller de Seguridades en Windows Elixircorp
parameter for finding a good payload that we can use. Taller de Seguridades en Windows Elixircorp
“La mágica solución para la seguridad de su información” 5. We’ll choose a simple payload

“La mágica solución para la seguridad de su información”

mágica solución para la seguridad de su información” 5. We’ll choose a simple payload “

5. We’ll choose a simple payload “generic/shell_bind_tcp” in order to get a command prompt from our victim. Before doing that we asks the kind of targets supported for this exploit with the “T” option, so we make sure Windows 2003 is vulnerable to this attack.

so we make sure Windows 2003 is vulnerable to this attack. Taller de Seguridades en Windows
so we make sure Windows 2003 is vulnerable to this attack. Taller de Seguridades en Windows
so we make sure Windows 2003 is vulnerable to this attack. Taller de Seguridades en Windows
“La mágica solución para la seguridad de su información” 6. Finally we execute the exploit

“La mágica solución para la seguridad de su información”

6. Finally we execute the exploit with the “E” option and voilà! We’re inside!! Enjoy ;)

the “E” option and voilà! We’re inside!! Enjoy ;) Taller de Seguridades en Windows Elixircorp S.A.
the “E” option and voilà! We’re inside!! Enjoy ;) Taller de Seguridades en Windows Elixircorp S.A.
the “E” option and voilà! We’re inside!! Enjoy ;) Taller de Seguridades en Windows Elixircorp S.A.

PART B: Using Metasploit Console (msfconsole)

PART B: Using Metasploit Console (msfconsole) “La mágica solución para la seguridad de su información” The

“La mágica solución para la seguridad de su información”

The Metasploit Console is easier to use than the CLI and has become more popular with the new versions of the framework.

1. So now were gonna execute the same exploit but using msfconsole.

’ re gonna execute the same exploit but using msfconsole. Taller de Seguridades en Windows Elixircorp
’ re gonna execute the same exploit but using msfconsole. Taller de Seguridades en Windows Elixircorp
’ re gonna execute the same exploit but using msfconsole. Taller de Seguridades en Windows Elixircorp
“La mágica solución para la seguridad de su información” 2. The msfconsole has a useful

“La mágica solución para la seguridad de su información”

2. The msfconsole has a useful help command that we can use to explore all the options available.

that we can use to explore all the options available. 3. We can use the show

3. We can use the show exploits command in order to look for the one we want

show exploits command in order to look for the one we want Taller de Seguridades en
show exploits command in order to look for the one we want Taller de Seguridades en
show exploits command in order to look for the one we want Taller de Seguridades en

4. We use the same last exploit and options.

4. We use the same last exploit and options. “La mágica solución para la seguridad de

“La mágica solución para la seguridad de su información”

mágica solución para la seguridad de su información” 5. Finally we execute it with the command

5. Finally we execute it with the command exploit.

5. Finally we execute it with the command “ exploit ” . Taller de Seguridades en
5. Finally we execute it with the command “ exploit ” . Taller de Seguridades en
5. Finally we execute it with the command “ exploit ” . Taller de Seguridades en
“La mágica solución para la seguridad de su información” PART C: Using Armitage (graphical interface

“La mágica solución para la seguridad de su información”

PART C: Using Armitage (graphical interface for Metasploit)

This lab wouldn’t be complete with at least a tiny review of the Armitage interface, so lets put our hands to work!

1. First we call Armitage from the command line like this:

1. First we call Armitage from the command line like this: 2. After we have click

2. After we have click the Start MSFbutton well see Armitages interface.

MSF ” button we ’ ll see Armitage ’ s interface. Taller de Seguridades en Windows
MSF ” button we ’ ll see Armitage ’ s interface. Taller de Seguridades en Windows
MSF ” button we ’ ll see Armitage ’ s interface. Taller de Seguridades en Windows
“La mágica solución para la seguridad de su información” 3. As we have executed an

“La mágica solución para la seguridad de su información”

3. As we have executed an attack before against our target, Armitage should see our victims in the host list so we select it with a simple click. Then we expand the exploit -> windows -> dcerpc menu on the left and select our last exploit. After that we just have to do a double- click.

last exploit. After that we just have to do a double- click. 4. Be sure to

4. Be sure to select the use reverse connectioncheckbox and click on the Launchbutton.

” checkbox and click on the “ Launch ” button. Taller de Seguridades en Windows Elixircorp
” checkbox and click on the “ Launch ” button. Taller de Seguridades en Windows Elixircorp
“La mágica solución para la seguridad de su información” 5. That should open a meterpreter

“La mágica solución para la seguridad de su información”

mágica solución para la seguridad de su información” 5. That should open a meterpreter session for

5. That should open a meterpreter session for you to play with ;)

should open a meterpreter session for you to play with ;) Taller de Seguridades en Windows
should open a meterpreter session for you to play with ;) Taller de Seguridades en Windows
should open a meterpreter session for you to play with ;) Taller de Seguridades en Windows
“La mágica solución para la seguridad de su información” 6. Now we just list the

“La mágica solución para la seguridad de su información”

6. Now we just list the sessions available and connect to the proper one. Keep in mind that we have the privileges of the SYSTEM user as Armitage previously informed us. To list the sessions we use the command sessions l .

the sessions we use the command “ sessions – l ” . 7. To interact with

7. To interact with a session we use the sessions i #where # should be replaced with the proper session number.

where # should be replaced with the proper session number. Taller de Seguridades en Windows Elixircorp
where # should be replaced with the proper session number. Taller de Seguridades en Windows Elixircorp

8. And that’s it! Weve got it!

8. And that’s it! We ’ ve got it! “La mágica solución para la seguridad de

“La mágica solución para la seguridad de su información”

mágica solución para la seguridad de su información” Copyright ©2012 – Elixircorp S.A. Legal Note: 

Copyright ©2012 Elixircorp S.A.

Legal Note:

All the brands and applications used in this article belong to their respective owners.

used in this article belong to their respective owners. Taller de Seguridades en Windows Elixircorp S.A.
used in this article belong to their respective owners. Taller de Seguridades en Windows Elixircorp S.A.