Last Saturday Evening I joined a small Fondue Party of friends. Most of us know each other from the scratchbook Blog and traditionally we do that event once a year. I really like Fondue and everyone who wants has the possibility to give a speech after the Fondue. The topics are usually technically, because most of us working somewhere in the IT Business 😉
The topics this year were about:
- Privacy (Big concerns like google gathering lots of personal informations about us)
- UPNP (Insecure feauture that is implemented in many devices)
- TOR Network (Experiences about setting up a own TOR Node)
- Metasploit (A quick introduction into the Framework)
My part was a little speech about Metasploit and in this post I want to show you the practical examples that I’ve showed.
Demo 1 – Own a Windows XP SP0
For demonstration purposes I did setup the oldest version of WinXP to get a 100% guaranty that we can Exploit that system. The vulnerability that has to be Exploited is the MS08-067. The payload that I use in this case is the meterpreter Shell.
Step 1 – Starting metasploit console and search for the ms08_067 ExploitStep 2 – Load the Exploit
Step 3 – Set Rhost (Target)
Step 4 – Set Lhost (Attacker IP for Reverse Shell)
Step 5 – Set Payload (meterpreter Shell)
Step 6 – Show targets
Step 7 – Optional Set target ID (Default 0)
Step 8 – Show summary
Step 9 – Exploit target and take control
Step 10 – Use meterpreter Shell and have Fun
Demo 2 – Exploit Vulnserver
Vulnserver is a TCP based server program that is designed to be exploited. With help of a Tutorial that I’ve discovered in the IX Magazine I could write a python based Exploit to inject payload code into the running Vulnserver process. Writing Exploits is a very hard topic. In this demonstration I just want to show you the encrypted payloadcode that was generated by metasploit and the output of the Revereshell after exploiting the target.
When I start the Vulnserver on the target WinXP machine, the server is waiting for client connection on port 9999. We can check that quickly if we do a connection with netcat on port 9999 to the target.
The attacker did already a deep analysis with the help of a debugger where he can inject code to the vulnerable Server. With the help of Metasploit the attacker was able to create the encrypted payload Code for the final Exploit.
He put the encrypted payload code into the final Exploit and run the exploit against the target system.
Demo 3 – Exploit vsFtpd Service and got root
Metasploitable is a virutal machine that is designed to be exploited. Metasploitable is full of Security holes, but in this example I just want to show you how to exploit the VsFtpd Service on that system to own the root account.
Step 1 – Simple nmap scan against target
Step 2 – Find out the version of the FTP Service
Step 3 – Search for a valid Exploit
Step 4 – Use Exploit and set lhost and rhost
Step 5 – Set payload
Step 6 – Exploit target and got root