Scribd Logo
Upload

Welcome to Scribd!

  • Lab 7.1 - Hacking Windows With It

    Uploaded by

    Mario Pinos Guerra
    31 views13 pages
    For this hack we will use two virtual machines, one with windows 2003 Server (our victim) and one with Backtrack Linux (the hacker). 2. The Windows 2003 Server should have the DNS service enabled. 3. Both machines should be able to ping each other. 4. We'll choose a simple payload "generic / shell_bind_tcp" in order to get a command prompt from our victim.

    Original Description:

    Original Title

    Lab 7.1 - Hacking Windows With it

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    For this hack we will use two virtual machines, one with windows 2003 Server (our victim) and one with Backtrack Linux (the hacker). 2. The Windows 2003 Server should have the DNS service enabled. 3. Both machines should be able to ping each other. 4. We'll choose a simple payload "generic / shell_bind_tcp" in order to get a command prompt from our victim.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    31 views13 pages

    Lab 7.1 - Hacking Windows With It

    Uploaded by

    Mario Pinos Guerra
    For this hack we will use two virtual machines, one with windows 2003 Server (our victim) and one with Backtrack Linux (the hacker). 2. The Windows 2003 Server should have the DNS service enabled. 3. Both machines should be able to ping each other. 4. We'll choose a simple payload "generic / shell_bind_tcp" in order to get a command prompt from our victim.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    La mgica solucin para la seguridad de su informacin

    Hacking Windows with Metasploit


    Requirements:
    1. For this hack we will use two virtual machines, one with Windows 2003 Server (our victim) and one with Backtrack Linux (the hacker). 2. The Windows 2003 Server should have the DNS service enabled. 3. Both machines should be able to ping each other, if you want to easy up things you can disable the windows firewall, but for realistic purposes you should enable outside access just to the public services (this includes our DNS target port).

    Step-by-step procedure
    PART A: Using Metasploit msfcli
    1. Turn on both VMs and check the victims IP address. In a real situation youre supposed to find this on the reconnaissance phase.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 1

    La mgica solucin para la seguridad de su informacin

    2. Now go to the hacker machine, open a command prompt and change to the /pentest/exploits/framework3 directory. Were gonna use the metasploit CLI for this hack.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 2

    La mgica solucin para la seguridad de su informacin

    3. Execute msfcli and search for DNS related exploits for the Windows platform.

    4. Now were gonna use the O parameter in order to find the options for this exploit. After that well set the RHOST option to our target IP address and use the P parameter for finding a good payload that we can use.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 3

    La mgica solucin para la seguridad de su informacin

    5. Well choose a simple payload generic/shell_bind_tcp in order to get a command prompt from our victim. Before doing that we asks the kind of targets supported for this exploit with the T option, so we make sure Windows 2003 is vulnerable to this attack.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 4

    La mgica solucin para la seguridad de su informacin

    6. Finally we execute the exploit with the E option and voil! Were inside!! Enjoy ;)

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 5

    La mgica solucin para la seguridad de su informacin

    PART B: Using Metasploit Console (msfconsole)


    The Metasploit Console is easier to use than the CLI and has become more popular with the new versions of the framework. 1. So now were gonna execute the same exploit but using msfconsole.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 6

    La mgica solucin para la seguridad de su informacin

    2. The msfconsole has a useful help command that we can use to explore all the options available.

    3. We can use the show exploits command in order to look for the one we want

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 7

    La mgica solucin para la seguridad de su informacin

    4. We use the same last exploit and options.

    5. Finally we execute it with the command exploit.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 8

    La mgica solucin para la seguridad de su informacin

    PART C: Using Armitage (graphical interface for Metasploit)


    This lab wouldnt be complete with at least a tiny review of the Armitage interface, so lets put our hands to work! 1. First we call Armitage from the command line like this:

    2. After we have click the Start MSF button well see Armitages interface.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 9

    La mgica solucin para la seguridad de su informacin

    3. As we have executed an attack before against our target, Armitage should see our victims in the host list so we select it with a simple click. Then we expand the exploit -> windows -> dcerpc menu on the left and select our last exploit. After that we just have to do a doubleclick.

    4. Be sure to select the use reverse connection checkbox and click on the Launch button.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 10

    La mgica solucin para la seguridad de su informacin

    5. That should open a meterpreter session for you to play with ;)

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 11

    La mgica solucin para la seguridad de su informacin

    6. Now we just list the sessions available and connect to the proper one. Keep in mind that we have the privileges of the SYSTEM user as Armitage previously informed us. To list the sessions we use the command sessions l .

    7. To interact with a session we use the sessions i # where # should be replaced with the proper session number.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 12

    La mgica solucin para la seguridad de su informacin

    8. And thats it! Weve got it!

    Copyright 2012 Elixircorp S.A. Legal Note: All the brands and applications used in this article belong to their respective owners.

    Taller de Seguridades en Windows Elixircorp S.A. (http://www.elixircorp.biz)

    Pgina 13

    You might also like