Here we’ll have Windows Exploitation Series on Windows XP, This walkthrough will give a thorough idea about the security measure needed in the network and keep your system up-to-date with the latest updates.
So as a demonstration, we have used our own lab to have a proper setup with the prerequisites.
Overview
In this activity, we’ll use Nmap and Metasploit to scan the network and find the target available vulnerability to exploit remotely.
Here, we’re not going to make any kind of malicious payload to exploit, we’ll just use the reconnaissance skill to gather the target details and use it without interacting with the target machine physically.
The vulnerability that we’ll make use of is SMB Service in the target machine.
What is SMB?
SMB (or) Server Message Block is a protocol running on the application layer that allows us to share files between two OS within the network. SMB uses a client-server architecture to share files or even printers. Also known as Common Internet File System. SMB uses ports 139 and 445. We will be using port 445 for our SMB Pentesting
Way to find live systems across the network
First, we’ll identify the target machine, which will be running Windows XP in the network, and then perform a ping scan of the entire network, from which we can also obtain the live machines on the network by using Nmap.
I’ve observed that the wlan0 interface, IP Address was “192.168.29.174” and the subnet mask “255.255.255.0”. This network can be totally usable as host 254, starting from 192.168.29.1 to 192.168.29.254.
Now will do ping scan by Nmap into the network to find live systems by “nmap -sn 192.168.29.0/24“
Where the “-sn” option is used for ping scan and /24 as CIDR(Classless Inter-Domain Routing) for the subnet of 255.255.255.0 for scanning the complete 256 IP Addresses to find live systems IP Addresses across the network.
Here got 4 host was live, As 192.168.29.1 is the gateway address and 192.168.29.174 is my IP Address.
So remaining are 192.168.29.68 and 192.168.29.211, now will do OS Detection to find the Windows XP to both IP Addresses at a time or also you can do specific separately by “nmap -O [IP Address]“.
Here the result is got the system IP Address 192.168.29.68 is using Windows XP and 192.168.29.211 is Windows 7, So this walkthrough is on Exploitation on Windows XP for Windows 7 you can through here.
Now, I looked for all of the running services and their versions for all port numbers on Windows XP.
I have noted that port numbers 139 and 445 are opened where it was running an SMB service, and there are possibilities of vulnerability.
SMB is used for file and printer sharing on Windows, so will scan for the vulnerability available on port 445 by using NSE(Nmap Scripting Engine).
After a couple of minutes, we found that 445 is vulnerable to the remote code execution (ms08–067) and (ms17–010).
So, now I have started with the Metasploit framework for exploitation. Metasploit has multiple inbuilt modules which are mostly used by Hackers and Ethical hackers for hacking mobiles, websites, and systems across the network.
Before starting Metasploit, I restarted Postgresql so we don’t encounter any errors in the middle of the process.
PostgreSQL is an object-relational database system that is free and open source. It is widely regarded as the most advanced open-source relational database in the world.
By using msfconsole, have launched the Metasploit Framework.
I searched for the ms17–010 exploit, and here we got the list of results of different exploits.
We can also search for different ways to exploit the victim, here are the given options like searching by platform, type, and also specific port number.
After finalizing the exploit, we can use the exploit by the “use” command.
So setting up the exploit, we can enter “show options” to check the required configuration is needed for the success of the exploitation
We have to set up the rhost IP address for the victim’s IP. In case any other required information is needed can be set by following commands, the in-default payload was set up, if want can be changed according to a suitable one.
How can we check if any services are listening or not on our system by Netstat tool?
The Netstat command generates displays that show network status and protocol statistics. You can display the status of TCP and UDP endpoints in a table format, routing table information, and interface information.
So will check if the lport which was 4444 is in use or not, by following the commands
The options we used in Netstat are a(all), n(numeric value), t(TCP), p(process), and grep command after pipe “|” to execute other continues to next commands.
Port number 4444 on my system was not in use we can use that, So now that everything is ready, we can run the exploit.
Boooom!!! We’ve successfully got the meterpreter session, Now we can type the “help” command to see the other commands for utilizing the meterpreter sessions.
Here, I took the victim’s current screen screenshot and tried hashdump
Here is the screenshot of the system’s current screen.
For getting the username information, which we’ve to get access have tried with getuid.
Now, I’ve tried to get the interactive shell of the victim by executing the “shell” command
Cool, we’ve got the shell where we can have proper interaction with the Windows system.
Post-Exploitation
As we’re done with the exploitation part, Now we need privileged access to the exploited system.
The current user right now we were having was “NT AUTHORITY\SYSTEM”.
By giving the “getuid” command we get to know,
So, now we can migrate with a legitimate service that was running on Administrator Access, for now, the process running can execute the ps command.
We have noted that the explorer.exe service is now running along with administrator access. Hence, now will migrate with that service by “migrate pid(process id)” or for help use “migrate -h“.
So now we can migrate with the service of explorer.exe whose process id was 1400 from the existing meterpreter payload service pid “1232”
Successfully we’ve migrated and got high-privilege access to the system as “server username: RAZZ-CBEC36F16A\razz”
If in case the migration was failed, you can change the payload according to your victim system configurations.
So now if we want to proceed with any other system and don’t want to close the existing session, then can use the “background” command to save the sessions.
For the Part 2 of Exploitation on Windows 7, can continue from here.
Way to avoid SMB exploitation and keep it secure against hackers
- Keep the SMB service up to date with the latest version and that all updates and security patches are applied.
- Disable the service if not in use.
- Enable SMB encryption to ensure that data transmitted over the network is secure and protected from interception by hackers.
- Implement firewalls to limit access to SMB traffic and block unauthorized access attempts.
- Limit access to SMB shares to only those users who need it, and ensure that access is granted on a need-to-know basis.
- Use strong authentication methods such as two-factor authentication to prevent unauthorized access to SMB shares.
- Monitor network activity for unusual or suspicious activity, such as repeated attempts to access SMB shares, which could indicate a potential attack.
I hope you’ve learned and enjoyed this Walkthrough.
So, You can connect with me on “LinkedIn & Twitter“ for more updates on Infosec.
Disclaimer:
We believe that these Practices will educate everyone about ethical hacking, and We do not promote, encourage, support, or excite any illegal activity or hacking.
We will not be responsible for your illegal actions.
