In this chapter, we will cover:
f Penetration testing on a Windows XP SP2 machine
f Binding a shell to the target for remote access
f Penetration testing on Windows 8
f Exploiting a Linux (Ubuntu) machine
f Understanding the Windows DLL injection flaws
Introduction
In the previous chapter, we focused on gathering information about our target, such as the target IP address, open ports, available services, operating system, and so on. One of the biggest assets in the process of information gathering is gaining knowledge about the operating system used by the target server or system. This information can prove to be very helpful in penetrating the target machine, as we can quickly look for exploits and vulnerabilities of the operating system in use. Well, the process is not as straightforward as it sounds, but knowledge about the target operating system can ease our task to a great extent.
Every flavor of an operating system has some or the other bug in it. Once it gets reported, the process of developing exploits for it starts. Licensed operating systems, such as Windows, quickly develop patches for the bug or vulnerability and provide it as an update to its users.
Vulnerability disclosure is a big issue these days. Many zero-day disclosures create havoc in the computer industry. Zero-day vulnerabilities are highly sought after and in underground markets; the price may range from 50,000 U.S. Dollars to 100,000 U.S. Dollars. Vulnerabilities are detected and exploited but the disclosure of vulnerability depends on the researcher and their intention.
Well-known products, such as Microsoft and Adobe issue patches at regular intervals, but it's up to the user to apply them. In corporate scenarios, this gets even worse—it takes weeks before servers are patched because of the downtime involved and to ensure business continuity is not hampered. So, it is always recommended to update or keep an eye on any latest vulnerability discovered in your operating system in use. Unpatched systems are a safe haven for hackers, as they immediately launch exploits to compromise the target. Hence, regular patching and updating the operating system is essential. In this chapter, we will focus on vulnerabilities that are reported in some of the most popular operating systems.
In the process of penetration testing, once the information about the target operating system is available, the pentesters start looking for available exploits for the particular operating system flaws. So, this chapter will be the first step toward penetrating our target through vulnerabilities in the operating system. We will focus on some of the most widely used home-based and enterprise-home-based operating systems of Microsoft, and some flavors of Linux. We will also look at how to use exploits and set up its parameters to make it executable on the target machine. Last, but not least, we will discuss some of the useful payloads available to us in the Metasploit framework. Let us move further with the various recipes.
Before starting to use exploits and payload on target machines, we will first have to know some basics about them. It is very essential to understand the usage of exploits so that you can overcome some common errors that may arise due to misconfiguration of the parameters.
So, let us begin with some basics of using exploits and how to set parameter values.
In order to start using exploits on your target, the first thing required is to scan the target for open ports and services. Once you have gathered enough information about the target, the next step is to select exploits accordingly. So, let us analyze some of the exploit commands that can be launched directly from msfconsole.
Here is a list of commands that will be helpful during the exploit usage:
f msf > show exploits and msf > show payloads: These two commands will display all the available exploits and payloads in the Metasploit directory.
f msf > search exploit: This command will search for a particular exploit. We can also use this command to search for any specific search terms. The command should be passed in the following manner:
For example, consider the following command:
msf > search ms03_026_dcom Matching Modules
================
Name Disclosure Date Rank Description
---- --- ---- -
--exploit/windows/
dcerpc/ms03_026_dcom 2003-07-16 great Microsoft RPC DCOM
f msf > use exploit: This command is used to set any exploit as active and ready to use. The command is passed in the following manner:
msf > use exploit name
After executing this command, the prompt also changes to the exploit type:
msf > use exploit/windows/dcerpc/ms03_026_dcom msf exploit(ms03_026_dcom) >
f show options: This command is used to see the available options or parameters of the exploit in use. The various parameters include the host IP, port, threads, and so on. The parameters marked yes must have a value in order to execute the exploit:
msf exploit(ms03_026_dcom) > show options
Module options (exploit/windows/dcerpc/ms03_026_dcom):
Name Current Setting Required Description ---- ---- ---
RHOST yes The target address RPORT 135 yes The target port
f set: This command is used to set a value to a parameter in the exploit in use. It is also used to set up a payload for a particular exploit in use. The command can be passed in the following manner:
msf > set parameter-name parameter-value.
Similarly, we can use the unset command as well:
msf exploit(ms03_026_dcom) > set RHOST 102.168.56.102 RHOST => 102.168.56.102
msf exploit(ms03_026_dcom) >
There are optional commands such as setg and unsetg, which are used when we have to globally set a parameter value in msfconsole. Thus, it saves us from re-entering the same value.
f show targets: Every exploit is made to attack a particular target service. This command displays the information on what possible targets the exploit can be used:
msf exploit(ms03_026_dcom) > show targets Exploit targets:
Id Name --
0 Windows NT SP3-6a/2000/XP/2003 Universal
Here, we can see that the dcom exploit is available for several flavors of the Windows machine.
In Chapter 1, Metasploit Quick Tips for Security Professionals, we discussed how the entire Metasploit framework has a modular architecture. Different exploits are converted into a framework-understandable module, which can function in accordance with it. Different commands are called to load and set up the modules. The command-line interface of msfconsole makes it easy to access different modules and perform penetration testing.